A zero-day vulnerability in Mitel VOIP appliances, CVE-2022-29499, is being widely exploited in the wild with continued likelihood of exploitation, according to our researchers. Patch the vulnerability without further delay.
Security researchers discovered a zero-day vulnerability in a MITEL VOIP appliance which was actively being used to perform a novel remote code execution exploit to gain access to the target network.
The zero-day vulnerability was of RCE type and has been assigned the CVE: CVE-2022-29499 with a CVSS score of 9.8.
This vulnerability is found in MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA), widely used by organizations for their telecommunication needs. A remediation script for MiVoice Connect versions 19.2 SP3 and before and R14.x and before was posted in April.
Attack on MITEL appliance using CVE-2022-29499
This attack could have led to a larger ransomware attack but was detected and thwarted early by MITEL. The hackers gained access to the network via CVE-2022-29499 and attempted to remove the files and overwrite free space on the device. The exploit was tracked to an internal IP address associated with a Linux-based Mitel VOIP appliance on the network perimeter. The device was then taken offline and studied. The hackers had also tried to hide their tracks by deleting all the files using an overwrite command known as “dd.”, but the forensic investigation revealed the attack methodology.
Global Exposure Analysis of CVE-2022-29499
MITEL has a huge clientele list that uses their appliances to run their businesses with most of them concentrated in the US, UK, and France. The CVE-2022-29499 is found in Mitel Service Appliances – SA 100, SA 400, and Virtual SA.
From our analysis using Shodan, we have found that there are 8796 MITEL appliances with this vulnerability open to the public in the US (54%). The UK has 4634 assets, and Canada has 1365. Windstream communication seems to have the most number of MITEL appliances (769) with this vulnerability.
How critical is this vulnerability
This vulnerability arises due to incorrect data validation which allows unauthorized attackers to add commands with specially crafted requests. Once they are in control, it is easy to extract data via remote code execution.
Based on our AI and ML-based predictive analysis, our researchers warn that this is a highly sought-out vulnerability with extreme likelihood of exploitation by malicious actors. Hence, we recommend all organizations to look out for this and patch it immediately.
It was added to the NVD list on April 25, 2022, but by then at least one potential ransomware attack had taken place. The CISA, however, took longer to add it to their KEV list. After MITEL’s disclosure about the attack, CISA added CVE-2022-29499 to the KEV list on June 27, 2022.
So far, there are no plugins on popular scanners like Nessus, Nexpose or Qualys to detect the presence of this vulnerability.
Organizations should be watchful and patch critical vulnerabilities
Time and again, these attacks are a warning that organizations need to regularly check their public-facing assets and applications for vulnerabilities. They must also ensure that all vulnerabilities are patched without delay.
One part of vulnerability management is proactively discovering and neutralizing trending threats that could potentially be exploited. Our Vulnerability Management Service helps you prioritize and remediate threats based on the degree of criticality and the level of threat it poses to your business.