A vulnerability leading to remote code execution survived for 10 years in some Avaya VoIP phones. The bug was reported in 2009 in open-source software implemented in Avaya’s firmware but it went unnoticed until security researchers analyzed the product. An attacker exploiting this flaw could essentially hijack the affected device and extract conversations from the speakerphone. Avaya fixed the problem in a firmware update released on June 25, which “supersedes all previous Avaya IP Deskphone software releases and service packs”””
Source: https://www.bleepingcomputer.com/news/security/avaya-voip-phones-harbored-10-year-old-vulnerability/