In a public alert, Avaya, based in Basking Ridge, N.J., said the bug affects users of three enterprise-facing system products.
The company strongly recommends that customers apply the critical MS06-001 patch that was released by Microsoft late last week as an emergency, out-of-cycle update.
Avaya, which sells communication equipment and software that integrate voice and data services, said all versions of its UCC (Unified Communications Center), Modular Messaging - MAS (Messaging Application Server) and the S8100/DefinityOne/IP600 Media Servers were vulnerable to the bug.
Security alerts aggregator Secunia Inc. rates the Avaya risk as "extremely critical."
According to the Avaya advisory, the products all run on the Windows 2000 operating system, which is out of mainstream product support. Microsoft only offers security patches for Windows 2000 SP4 (Service Pack 4) and newer versions of the operating system.
A spokesperson for Avaya said the company had a "high level of confidence" that its customers were using versions of Windows for which patches are available.
"As part of our ongoing communications with customers, we let them know when service packs [from Microsoft] are released. The customers were serving are getting this information from us on a regular basis," the spokesperson added.
Windows customers running Windows 2000 SP3, Windows ME and Windows 98 must pay for custom support to get security updates.
Separately, Secunia slapped a "moderately critical" rating on the way the WMF flaw affects WINE, the open-source implementation of the Windows API on top of Unix.
Successful exploitation requires that a WINE user open a malicious WMF file using an application that renders the WMF file. The flaw has been fixed in CVS repositories ("dlls/gdi/metafile.c" revision 1.12), Secunia said.