Some of Cisco’s IP phones designed by for small businesses are plagued by a vulnerability that allows a remote attacker to eavesdrop on conversations and make phone calls from the affected devices. The unauthenticated remote dial vulnerability affects version 7.5.5 and possibly later versions of Cisco Small Business SPA300 and SPA500 series IP phones.
The malicious actors could obtain sensitive information by listening in on audio streams from the device, as well as leverage the bug to make phone calls remotely from a vulnerable phone. A successful exploit could also be used to conduct further attacks.
Learn more about the vulernability here.