Description
An embedded test key and certificate could be extracted from a Poly Voice device using specialized reverse engineering tools. This extracted certificate could be accepted by a SIP service provider if the service provider does not perform proper validation of the device certificate.
Published: 2026-03-03
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Device Impersonation via SIP
Action: Assess Impact
AI Analysis

Impact

An embedded test key and certificate within certain Poly Voice devices can be extracted with specialized reverse‑engineering tools. If a SIP service provider accepts this extracted credential without enforcing proper certificate validation, an attacker can impersonate the legitimate device, potentially gaining unauthorized access to voice communications and data. This vulnerability is classified as CWE-321, indicating insecure management of cryptographic keys.

Affected Systems

HP Inc Edge E, HP Inc Trio 8300, and HP Inc VVX Poly Voice devices are susceptible. Version details are not explicitly listed in the advisory, so any firmware that includes the embedded test key may be affected.

Risk and Exploitability

The score of 8.2 reflects a high‑severity flaw, yet the EPSS score is under 1 %, suggesting low exploitation probability. The vulnerability is not yet listed in the CISA KEV catalog. Attackers must obtain the embedded key via reverse engineering and rely on a SIP provider that does not verify device certificates. The limited scope implies that exploitation is feasible mainly where the service provider’s validation is lax.

Generated by OpenCVE AI on April 17, 2026 at 13:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any HP firmware update that removes or secures the embedded test key.
  • Configure the SIP service provider to enforce strict certificate validation and reject test or self‑signed certificates.
  • Replace or invalidate the device’s embedded test certificate and deploy a production certificate.

Generated by OpenCVE AI on April 17, 2026 at 13:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Hp
Hp edge E
Hp trio 8300
Hp vvx
Vendors & Products Hp
Hp edge E
Hp trio 8300
Hp vvx

Tue, 03 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
Description An embedded test key and certificate could be extracted from a Poly Voice device using specialized reverse engineering tools. This extracted certificate could be accepted by a SIP service provider if the service provider does not perform proper validation of the device certificate.
Title SIP Service Providers – Possible Impersonation of Poly Voice Device
Weaknesses CWE-321
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Hp Edge E Trio 8300 Vvx
cve-icon MITRE

Status: PUBLISHED

Assigner: hp

Published:

Updated: 2026-03-03T14:38:08.616Z

Reserved: 2026-01-08T21:27:11.945Z

Link: CVE-2026-0754

cve-icon Vulnrichment

Updated: 2026-03-03T14:38:04.086Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-03T02:16:07.320

Modified: 2026-03-03T21:52:29.877

Link: CVE-2026-0754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:30:19Z

Weaknesses