Command Injection Vulnerability in Mitel MiVoice Connect
CVE-2022-40765

6.8MEDIUM

Key Information:

Vendor: Mitel
Status: Mivoice Connect
Vendor: CVE Published:; 22 November 2022

Badges

💰 Ransomware👾 Exploit Exists🦅 CISA Reported

Summary

A vulnerability exists in the Edge Gateway component of Mitel MiVoice Connect version 19.3, which allows authenticated attackers with internal network access to perform command injection attacks. This occurs due to inadequate restrictions on URL parameters, potentially leading to unauthorized command execution.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: Apply updates per vendor instructions.

References

https://www.mitel.com/support/security-advisories

https://www.mitel.com/support/security-advisories/mitel-p...

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

💰
Used in Ransomware
Feb 21, 2023
👾
Exploit known to exist
Feb 21, 2023
🦅
CISA Reported
Feb 21, 2023
Vulnerability published
Nov 22, 2022
Vulnerability Reserved
Sep 18, 2022