CVE-2022-29499

CVSS 9.8 CRITICALEPSS 57.0%● KEVCWE-20

Vexday Risk Score

70High priority

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 9.8EPSS 57.0%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

26 Apr 2022Published on NVD

27 Jun 2022Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

Mitel MiVoice Connect's Service Appliance has a flaw that allows attackers to run malicious code remotely without proper authentication. This is critical because it can give attackers complete control over the communication system.

Technical detail

CWE-20 improper input validation in Mitel MiVoice Connect Service Appliance (SA 100, SA 400, Virtual SA) up to version 19.2 SP3 enables unauthenticated remote code execution. The vulnerability stems from insufficient data validation, allowing attackers to inject and execute arbitrary commands on affected appliances.

Summary generated and translated by AI from the official description.

The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-29499 https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0002