Cyber Resilience

CVE-2022-41223

MediumCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 22 November 2022

Published
22 November 2022
Modified
03 November 2025
KEV Added
21 February 2023
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0280 86.4th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-41223 is a medium-severity Code Injection (CWE-94) vulnerability in Mitel Mivoice Connect. Its CVSS base score is 6.8 (Medium).

Operationally, ranked in the top 13.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a code injection flaw, tracked as CWE-94, in the Director database component of Mitel MiVoice Connect through version 19.3 (22.22.6100.0). It stems from insufficient restrictions on database data types, allowing crafted data to be processed in a manner that can execute arbitrary code. The issue carries a CVSS 3.1 score of 6.8 with an attack vector of adjacent network and high privileges required.

An authenticated attacker with high privileges on an adjacent network can supply specially crafted data to the Director database component, achieving code injection that results in full compromise of confidentiality, integrity, and availability on the affected system.

Mitel has published security advisories, including Mitel Product Security Advisory 22-0008, that address the issue for MiVoice Connect. The vulnerability also appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation.

EPSS scores have remained low, with a current value of 0.0280 and a peak of 0.0316.

EU & UK References

Vulnerability details

The Director database component of MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker to conduct a code-injection attack via crafted data due to insufficient restrictions on the database data type.

CWE(s)
KEV Date Added
21 February 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mitel
mivoice connect
≤ 22.22.6100.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all inputs to the Director database, blocking crafted data that exploits missing data-type restrictions for code injection.

prevent

Limits database privileges granted to authenticated accounts, reducing the ability of an administrative user to supply executable code via the vulnerable component.

prevent

Mandates prompt application of vendor patches that remediate the insufficient data-type restrictions in MiVoice Connect versions through 19.3.

References