CVE-2022-29499
Published: 26 April 2022
Summary
CVE-2022-29499 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Mitel Mivoice Connect. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2022-29499 affects the Service Appliance component in Mitel MiVoice Connect through version 19.2 SP3, including the SA 100, SA 400, and Virtual SA appliances. It arises from incorrect data validation (CWE-20) and enables remote code execution with a CVSS 3.1 base score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated remote attacker can send specially crafted data to the affected appliances over the network to execute arbitrary code, resulting in complete loss of confidentiality, integrity, and availability on the target system.
Mitel's Product Security Advisory 22-0002 provides official guidance on the issue, while CISA includes the CVE in its catalog of known exploited vulnerabilities, indicating that public mitigations and patches should be applied promptly.
The associated EPSS score has reached a peak of 0.9094 with a current value of 0.8862, confirming substantial real-world exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33836
Vulnerability details
The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.
- CWE(s)
- KEV Date Added
- 27 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input to the Service Appliance, eliminating the improper data validation (CWE-20) that enables unauthenticated RCE.
Mandates timely application of vendor patches or mitigations for the known flaw in MiVoice Connect through 19.2 SP3, directly closing the actively exploited RCE vector.
Enforces boundary controls that can restrict network access to the vulnerable SA 100/400/Virtual SA appliances, reducing the attack surface for remote unauthenticated exploitation.