Cisco announced a vulnerability with certain IP phones. It is pretty juicy. Here is the URL and a summary from their web site.
http://www.cisco.com/warp/public/707/cisco-sa-20070221-phone.shtml
Certain Cisco Unified IP Conference Station and IP Phone devices contain vulnerabilities which may allow unauthorized users to gain administrative access to vulnerable devices.
Cisco Unified IP Conference Station Administrative Bypass Vulnerability
Cisco Unified IP Conference Station 7935 and 7936 devices do not require a password when a URL is accessed directly via the administrator HTTP interface. There is a workaround for this vulnerability.
Cisco Unified IP Phone Default Account and Privilege Escalation Vulnerabilities
Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G and 7971G devices contain a hard coded default user account with a default password which is remotely accessible via a Secure Shell (SSH) server enabled on the phone. This default user account may be leveraged to gain administrative access to a vulnerable phone via a privilege escalation vulnerability. The default user account may also execute commands causing a phone to become unstable and result in a denial of service. The default user account can not be disabled, removed or have its password changed. There are mitigations available for these vulnerabilities.