Mitel MiVoice Connect zero-day vulnerability used by ransomware operators

Mitel MiVoice Connect zero-day vulnerability used by ransomware operators

Cybersecurity researchers are warning about a zero-day vulnerability in Mitel MiVoice Connect product, which is actively exploited in the wild at least by one ransomware gang.

Mitel MiVoice Connect is a voice over IP (VOIP) phone used by various organizations for telephony services.

As the cybersecurity researchers from CrowdStrike said in their recent report, a threat actor used the critical remote code execution vulnerability (CVE-2022-29499) in Mitel MiVoice Connect to gain initial access to one of their customers’ network. This threat actor is believed to be a ransomware operator, but CrowdStrike didn’t attribute this attack to a specific operation. Anyway, the intrusion was detected and stopped before the encryption.

The vulnerability resides in the Mitel Service Appliance component of MiVoice Connect, used in SA 100, SA 400, and Virtual SA products. Using this flaw, a remote attacker can execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the Mitel Service Appliance component. A remote unauthenticated attacker can send a specially crafted HTTP GET request to the application and execute arbitrary OS commands on the target system. Successful exploitation of this flaw may result in complete compromise of vulnerable system.

Mitel didn’t release an official fix for this vulnerability, but did address it in April with the release of a remediation script for MiVoice Connect versions 19.2 SP3 and earlier and R14.x and earlier.

Back to the list

Latest Posts

AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025
Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

The malicious actors used v0.dev to create fake login pages mimicking legitimate brands.
2 July 2025