← back
CVE-2022-40765

CVE-2022-40765

CVSS 6.8 MEDIUMEPSS 10.5%● KEVCWE-77
Vexday Risk Score
48Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 6.8EPSS 10.5%KEV simPoC Nuclei Metasploit Patch
Lifecycle
22 Nov 2022Published on NVD
21 Feb 2023Active exploitation (CISA KEV)
Recommendation: Plan a near-term fix — a public PoC already exists.
In short

An authenticated attacker with internal network access can inject malicious commands into Mitel MiVoice Connect through URL parameters that aren't properly restricted, potentially compromising the system.

Technical detail

CWE-77 command injection vulnerability in Edge Gateway component allows authenticated internal users to execute arbitrary commands via insufficiently validated URL parameters. Requires valid credentials and network access to the affected system (versions through 19.3/22.22.6100.0).

Summary generated and translated by AI from the official description.
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker with internal network access to conduct a command-injection attack, due to insufficient restriction of URL parameters.
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-40765https://www.mitel.com/support/security-advisorieshttps://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0007