There is remote control API avaiable on every phone on http://<ip>/CGI/Execute
It allow remote user to order the phone to dial any number, you can simulate key press, e.g. you can change anything accesible via phone menu and so on.
Such API is open by default in SIP mode - no authentication is required.
Such API is not mentioned in Administrator guide, so admin may not be aware of it. As result - any attacker with physical access to ethernet plug connected to phone network can order any other phone connected to such network to dial any number. As it's documented nowhere, most networks didn't changed default to something more secure. Bill fraud is immitent.
Access to /CGI/Execute can be restricted by 'CISCO_XML_EXE_Auth_Mode' option, but it's not documented. Unauthorized description based on observations can be read here: CiscoIPPhoneExecute Dial but note that it will broke access to WWW UI, see Broken WWW UI on SPA504G
All SPA5xx, SPA3xx, SPA1xx and SPA2xx with current firmware seems to be affected by the issue (it doesn't mean that older firmwares are not vulnerable, I just didn't do test on them).
disable all inter-phone network conectivity on switch (our way, it require switch it can do it)
configure CISCO_XML_EXE_Auth_Mode value (but WWW UI become unusable then)
Because bill fraud may occur, it needs to be considered severe security incident.
Configure Multicast Paging on the Cisco IP Phone 7800 Series or 8800 Series Multiplatform Phone
The Cisco IP Phone 7800 and 8800 Series Multiplatform Phones provide voice communication over an Internet Protocol (IP) network...
Add Call Park on a Cisco 7800 or 8800 Series Multiplatform Phone Key Expansion Module
Call park allows the user of the phone to put an incoming call on hold so that the call can be retrieved on another phone. A call is park...