Cyber Resilience

CVE-2022-26143

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 March 2022

Published
10 March 2022
Modified
03 November 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8915 99.6th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26143 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Mitel Micollab. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

The TP-240 (tp240dvr) component in Mitel MiCollab before version 9.4 SP1 FP1 and MiVoice Business Express through 8.1 contains a missing authentication vulnerability (CWE-306) that permits unauthenticated remote access. This flaw carries a CVSS 3.1 score of 9.8 and enables attackers to retrieve sensitive information while triggering performance degradation and excessive outbound traffic.

Remote attackers with no credentials can exploit the issue over the network to obtain data and launch denial-of-service conditions. In practice, the component was abused in February and March 2022 as an amplification vector in the TP240PhoneHome DDoS campaign, producing outbound traffic amplification factors reported as high as four billion.

Public analyses from Cloudflare, Akamai, Team Cymru, and Ars Technica document the real-world use of this vector for record-scale DDoS attacks shortly after disclosure. The associated EPSS score reached a peak of 0.8951 and currently stands at 0.8915, reflecting sustained exploitation interest following the initial incidents.

EU & UK References

Vulnerability details

The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited…

more

in the wild in February and March 2022 for the TP240PhoneHome DDoS attack.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mitel
micollab
9.4 · ≤ 9.4
mitel
mivoice business express
≤ 8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and access restrictions on the TP-240 component, blocking the unauthenticated remote interactions that enable data exposure and DDoS reflection.

prevent

Requires identification and authentication for non-organizational users before any access to network-exposed services such as tp240dvr.

prevent

Boundary protection mechanisms can restrict or filter inbound traffic to the vulnerable component, limiting unauthenticated remote exploitation and amplification traffic.

References