I would go by the security advisory that shows:
First Fixed Release
11.5 Migrate to a fixed release
12.5(1)SU8 orciscocm.v1_java_deserial-CSCwd64245.cop.sha512
14SU3 orciscocm.v1_java_deserial-CSCwd64245.cop.sha512
15 not vulnerablie
I am getting a 404 on the sip invite also. In the event viewer it talks about how the user did not receive packets for at least 15 seconds on the call.