Several cybersecurity research groups have identified and studied the use of a Zero-Day vulnerability found in the Mitel VoIP MiConnect solution, CVE-2022-29499. The vulnerability exists due to improper input validation in the Mitel Service Appliance. A cyberattacker can send a specially crafted HTTP GET request to the application and execute arbitrary Operating System commands on the target system. Successful exploitation of this flaw may result in the complete compromise of the vulnerable system. This vulnerability has been successfully exploited by at least one ransomware group.
COURSE OF ACTION
While Mitel hasn't released a specific fix for this vulnerability, it is addressed in subsequent releases [versions 19.2 SP3 and earlier as well as R14.x and earlier], providing remediation scripts for the discovered attack vector.
**Systems Engineering is not certified to support or remediate the technology referenced in this Security Bulletin. We recommend you contact Mitel or your Mitel partner directly for the best information and guidance to ensure your systems are up-to-date and protected.
Like all Zero-Day vulnerabilities, this Mitel exploit should instruct any organization, once more, of the importance of employing a proactive patching practice across all technologies. While phone systems rarely receive as much attention as Operating Systems or similar prominent solutions, any vulnerable attack vector within your network topography is critical to remediate as soon as a solution is made available.
