Security researchers have found a critical remote code execution vulnerability in popular models of enterprise VoIP desk phones made by Avaya. The flaw allows hackers to gain full control of the devices, listen in on calls and even turn the phone into a spying device. The vulnerability is located in the DHCP service, which allows the devices to automatically obtain IP addresses on the network. It turns out that the vulnerability had actually been patched a decade ago in dhclient, the open-source component that Avaya used in its firmware.”]