CVE-2026-0794

Critical

Published: 23 January 2026

Published

23 January 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0136 80.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

ALGO 8180 IP Audio Alerter SIP Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific…

flaw exists within the handling of SIP calls. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28303.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identification, reporting, and timely remediation of flaws like this use-after-free vulnerability in SIP handling via vendor patches.

SI-16 Memory Protection good match

prevent

Implements controls to minimize the impact and exploitation of memory-related flaws such as use-after-free during object operations.

SC-7 Boundary Protection partial match

prevent

Monitors and controls network communications to restrict unauthenticated inbound SIP traffic to the vulnerable ALGO 8180 devices.

Security SummaryAI

CVE-2026-0794 is a Use-After-Free (CWE-416) vulnerability affecting ALGO 8180 IP Audio Alerter devices. The flaw resides in the handling of SIP calls, where the software fails to validate the existence of an object before performing operations on it, potentially leading to a use-after-free condition and remote code execution. Published on 2026-01-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with no authentication required for exploitation.

Remote attackers can exploit this vulnerability over the network by sending specially crafted SIP calls to affected devices, bypassing any authentication mechanisms. Successful exploitation allows arbitrary code execution in the context of the device, potentially granting full control over the IP Audio Alerter, including its audio alerting functions and network interfaces.

The Zero Day Initiative advisory (ZDI-26-016, originally ZDI-CAN-28303) provides further details at https://www.zerodayinitiative.com/advisories/ZDI-26-016/. Security practitioners should consult this reference for recommended mitigations, such as applying vendor patches if available or implementing network segmentation to restrict SIP traffic to trusted sources.

Details

CWE(s): CWE-416

Affected Products

algosolutions

8180 ip audio alerter firmware

5.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote code execution via crafted SIP calls to a public-facing network device, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.zerodayinitiative.com/advisories/ZDI-26-016/
Third Party Advisory · zdi-disclosures@trendmicro.com