Description
The following Poly Voice IP devices, CCX, Trio, and Edge E, might be inoperable if they connect to a malicious SIP server and receive malformed data. HP is releasing updates to mitigate these potential vulnerabilities.
Published: 2026-07-01
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Poly Voice IP devices, including HP CCX, Trio, and Edge E, can become inoperable when they connect to a malicious SIP server that sends malformed data. The flaw leads to a denial of service because the devices cannot process the incorrect input, potentially rendering them offline. The underlying weakness corresponds to CWE‑400: Uncontrolled Resource Consumption.

Affected Systems

The affected devices are HP Inc’s CCX series, HP Inc:Trio C60, and Edge E voice IP products. Specific firmware or software version numbers are not listed in the advisory, so all current models running the described firmware are potentially impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.2, indicating high severity. No EPSS score is provided, reflecting limited publicly available exploitation data. It is not currently listed in the CISA KEV catalog. Attackers would need to control a SIP server that the target devices communicate with, and send specially crafted malformed packets. Once in contact, the device may crash or hang, denying service to legitimate users. The condition is remote but requires that the device trust and connect to the malicious server.

Generated by OpenCVE AI on July 1, 2026 at 18:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the HP firmware update releases that address this issue, as announced in the support advisory.
  • Restrict voice device connections to trusted SIP servers by configuring allowed server lists or using network segmentation and ACLs to block unsolicited SIP traffic.
  • Monitor device logs and network traffic for abnormal SIP activity, and consider temporarily disabling external SIP connectivity on devices that cannot be immediately updated.

Generated by OpenCVE AI on July 1, 2026 at 18:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description The following Poly Voice IP devices, CCX, Trio, and Edge E, might be inoperable if they connect to a malicious SIP server and receive malformed data. HP is releasing updates to mitigate these potential vulnerabilities.
Title Poly Voice Devices (CCX, Trio, Edge E) – Potential Denial of Service
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hp

Published:

Updated: 2026-07-01T14:55:54.454Z

Reserved: 2026-02-20T17:49:42.020Z

Link: CVE-2026-2891

cve-icon Vulnrichment

Updated: 2026-07-01T14:55:48.943Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T18:30:15Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption