cbcvebase.
CVE-2022-26143
published 2022-03-10

CVE-2022-26143: The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
87.56%
99.7th percentile
The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack.

Affected

3 ranges
VendorProductVersion rangeFixed in
mitelmicollab< 9.49.4
mitelmicollab
mitelmivoice_business_express<= 8.1

Detection & IOCsextracted from sources · hover to see the quote

urlGET /ucs/micollab/version.json HTTP/1.1
path/ucs/micollab/version.json
otherhtml:"MiCollab End User Portal"
  • Probe for exposed MiCollab version endpoint at /ucs/micollab/version.json; a 200 response containing a '"version":' key with a version below 9.4.0 indicates a vulnerable instance.
  • Use Shodan query html:"MiCollab End User Portal" to identify internet-exposed Mitel MiCollab instances potentially vulnerable to CVE-2022-26143.
  • This CVE was actively exploited in the wild in February and March 2022 as part of the TP240PhoneHome DDoS amplification campaign; monitor for excessive outbound UDP traffic originating from TP-240 (tp240dvr) component.
  • ·Exploitation requires remote network access to the TP-240 component; the vulnerability is unauthenticated (CWE-306: Missing Authentication for Critical Function), meaning no credentials are needed to trigger information disclosure or DoS.
  • ·The vulnerability affects MiCollab before 9.4 SP1 FP1 AND MiVoice Business Express through 8.1; both product lines must be assessed separately.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:N/C:P/I:P/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.