Cybersecurity researchers are warning about a zero-day vulnerability in Mitel MiVoice Connect product, which is actively exploited in the wild at least by one ransomware gang.

Mitel MiVoice Connect is a voice over IP (VOIP) phone used by various organizations for telephony services.

As the cybersecurity researchers from CrowdStrike said in their recent report, a threat actor used the critical remote code execution vulnerability (CVE-2022-29499) in Mitel MiVoice Connect to gain initial access to one of their customers’ network. This threat actor is believed to be a ransomware operator, but CrowdStrike didn’t attribute this attack to a specific operation. Anyway, the intrusion was detected and stopped before the encryption.

The vulnerability resides in the Mitel Service Appliance component of MiVoice Connect, used in SA 100, SA 400, and Virtual SA products. Using this flaw, a remote attacker can execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the Mitel Service Appliance component. A remote unauthenticated attacker can send a specially crafted HTTP GET request to the application and execute arbitrary OS commands on the target system. Successful exploitation of this flaw may result in complete compromise of vulnerable system.

Mitel didn’t release an official fix for this vulnerability, but did address it in April with the release of a remediation script for MiVoice Connect versions 19.2 SP3 and earlier and R14.x and earlier.