A decade-old remote code-execution bug has been found, unpatched, in an Avaya desk phone that s used at 90 percent of Fortune 100 companies. If exploited, attackers could remotely take over the operation of the phone, exfiltrate audio and potentially even bug the phone to listen in continuously. The same bug was reported in 2009, yet its presence in the phone’s firmware remained unnoticed until now. Avaya published a firmware image that resolves the issue on June 25 admins are urged to update their gear, but it may take a while for protections to roll out across the attack surface.
Source: https://threatpost.com/critical-rce-bug-avaya-voip-phones/147122/