Poly has learned that a vulnerability exists in the UC software (“UCS”) running on desktop phones and audio conference devices that could potentially allow an authenticated, remote attacker with admin privileges to cause a denial of service (DoS) condition or execute arbitrary code.

Poly has addressed this vulnerability with a software update and recommends that all customers update the UCS software with the latest version.

In addition, as a further mitigation and aligned with standard security best practices, Poly also recommends that customers change the Admin password on the phones from a default or weak password to a strong (minimum 10 character) password. This mitigation limits the ability of the attacker to compromise the phone and is the quickest measure that can be taken to reduce risk.

The issue impacts all devices that run UCS. This includes:

  • Polycom Trio conference phones
  • Polycom VVX phones
  • Polycom SoundStructure
  • Polycom SoundPoint IP phones
  • Polycom SoundStation IP conference phones

Poly takes the security of our customers and our products seriously.  Please refer to our complete security bulletin for additional information.

FAQ

1. What’s the quickest way to protect myself?
The fastest mitigation is to change the default password or a weak password to a strong password on every device and, where possible, disable the web management interface. However, we also strongly advise our customers to download and install the patch.

2. What is the definition of a strong password?
We recommend passwords be at least 10 characters long, with a mix upper and lowercase, alphabetic, numeric and special characters.  No more than two repeated characters in a row.

3. Where can I find the patch?
www.Support.Polycom.com.  We’ll also make this available on our hosted server, zero touch provisioning service, and more.

4. Is this patch available globally?
Yes. Everyone around the world with web-based management interface of VVX, Trio, SoundStructure, SoundStation, and SoundPoint IP ​software should download the patch and ensure they have a strong administrative password in place on every device.

5. Have you fixed this issue for products to be shipped shortly?
Yes.  We have addressed the issue in the factory firmware for all products shipping now.  Out of an abundance of caution, please check to make sure the Poly phone you purchase has the most recent updated version and if not, download the patch.

6. Where can I go for more information?
https://support.polycom.com/content/support/security-center.html