Cyber Resilience

CVE-2022-40765

MediumCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 22 November 2022

Published
22 November 2022
Modified
03 November 2025
KEV Added
21 February 2023
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0266 86.1th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40765 is a medium-severity Command Injection (CWE-77) vulnerability in Mitel Mivoice Connect. Its CVSS base score is 6.8 (Medium).

Operationally, ranked in the top 13.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

A command-injection vulnerability exists in the Edge Gateway component of Mitel MiVoice Connect releases through 19.3 (22.22.6100.0). The flaw stems from insufficient validation of URL parameters and is tracked as CWE-77. An authenticated attacker on the adjacent network can supply crafted input that results in arbitrary command execution on the affected gateway.

Successful exploitation grants the attacker full control over confidentiality, integrity, and availability of the target component. The CVSS 3.1 score of 6.8 reflects the requirement for high-privileged internal access and the absence of user interaction, yet still indicates high impact once the injection succeeds.

Mitel has published security advisory 22-0007 detailing the issue and directing customers to apply vendor-supplied updates. The vulnerability also appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed exploitation in the wild.

The associated EPSS score remains low, with a recorded peak of 0.0404.

EU & UK References

Vulnerability details

A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker with internal network access to conduct a command-injection attack, due to insufficient restriction of URL parameters.

CWE(s)
KEV Date Added
21 February 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mitel
mivoice connect
≤ 22.22.6100.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of URL parameters to block command-injection payloads before they reach the Edge Gateway.

prevent

Enforces access-control decisions on supplied parameters so that only permitted actions are executed by the authenticated session.

prevent

Limits the privileges available to the authenticated internal user, reducing the scope of commands that can be injected via the vulnerable parameters.

References