CVE-2022-41223
Published: 22 November 2022
Summary
CVE-2022-41223 is a medium-severity Code Injection (CWE-94) vulnerability in Mitel Mivoice Connect. Its CVSS base score is 6.8 (Medium).
Operationally, ranked in the top 13.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a code injection flaw, tracked as CWE-94, in the Director database component of Mitel MiVoice Connect through version 19.3 (22.22.6100.0). It stems from insufficient restrictions on database data types, allowing crafted data to be processed in a manner that can execute arbitrary code. The issue carries a CVSS 3.1 score of 6.8 with an attack vector of adjacent network and high privileges required.
An authenticated attacker with high privileges on an adjacent network can supply specially crafted data to the Director database component, achieving code injection that results in full compromise of confidentiality, integrity, and availability on the affected system.
Mitel has published security advisories, including Mitel Product Security Advisory 22-0008, that address the issue for MiVoice Connect. The vulnerability also appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation.
EPSS scores have remained low, with a current value of 0.0280 and a peak of 0.0316.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-44464
Vulnerability details
The Director database component of MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker to conduct a code-injection attack via crafted data due to insufficient restrictions on the database data type.
- CWE(s)
- KEV Date Added
- 21 February 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all inputs to the Director database, blocking crafted data that exploits missing data-type restrictions for code injection.
Limits database privileges granted to authenticated accounts, reducing the ability of an administrative user to supply executable code via the vulnerable component.
Mandates prompt application of vendor patches that remediate the insufficient data-type restrictions in MiVoice Connect versions through 19.3.