Decade-old remote code execution bug found in phones used by Fortune 500
Researchers with McAfee have discovered a critical security flaw in the firmware of the Avaya 9600 series IP desk phone that is used by enterprises, including Fortune 500 companies. The vulnerability can allow threat actors to remotely execute code on phones with the highest privileges.
The remote code execution (RCE) flaw affects an open-source component that was found to be vulnerable in 2009. However, Avaya never patched the customized version of this module that is used in the 9600 firmware. After McAfee disclosed the bug to Avaya, the company recently made a firmware patch available.