I am only able to reproduce the recent wiretapping vulnerability when the credentials entered are for the user ASSOCIATED TO THE DEVICES or LOGGED IN TO THE DEVICES the under attack. If the user is not associated with the DUT, then the problem cannot be reproduced. If that is the problem, why does Cisco say that any Extension Mobility user can trigger the vulnerability?
"Extension Mobility authentication credentials are not tied to individual IP phones. Any Extension Mobility account configured on an IP phone's Cisco Unified Communications Manager/CallManager (CUCM) server can be used to perform an eavesdropping attack."