CVE-2022-26143
Published: 10 March 2022
Summary
CVE-2022-26143 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Mitel Micollab. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
The TP-240 (tp240dvr) component in Mitel MiCollab before version 9.4 SP1 FP1 and MiVoice Business Express through 8.1 contains a missing authentication vulnerability (CWE-306) that permits unauthenticated remote access. This flaw carries a CVSS 3.1 score of 9.8 and enables attackers to retrieve sensitive information while triggering performance degradation and excessive outbound traffic.
Remote attackers with no credentials can exploit the issue over the network to obtain data and launch denial-of-service conditions. In practice, the component was abused in February and March 2022 as an amplification vector in the TP240PhoneHome DDoS campaign, producing outbound traffic amplification factors reported as high as four billion.
Public analyses from Cloudflare, Akamai, Team Cymru, and Ars Technica document the real-world use of this vector for record-scale DDoS attacks shortly after disclosure. The associated EPSS score reached a peak of 0.8951 and currently stands at 0.8915, reflecting sustained exploitation interest following the initial incidents.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-30710
Vulnerability details
The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited…
more
in the wild in February and March 2022 for the TP240PhoneHome DDoS attack.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and access restrictions on the TP-240 component, blocking the unauthenticated remote interactions that enable data exposure and DDoS reflection.
Requires identification and authentication for non-organizational users before any access to network-exposed services such as tp240dvr.
Boundary protection mechanisms can restrict or filter inbound traffic to the vulnerable component, limiting unauthenticated remote exploitation and amplification traffic.