CVE-2022-29499
CVE-2022-29499 is a critical-severity vulnerability in Mitel Mivoice Connect with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-06-27). The underlying weakness is classified as CWE-20.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 57% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-06-27)
- EU (EUVD) id: EUVD-2022-33836
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-06-27)
- Weakness: CWE-20
- Affected product: Mitel Mivoice Connect
- Published:
- Last modified:
Description
The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.
CVE-2022-29499: Mitel MiVoice Connect Service Appliance Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2022-29499 is a remote code execution vulnerability in the Service Appliance component of Mitel MiVoice Connect. Affected appliances include the SA 100, SA 400, and Virtual SA. The flaw stems from incorrect data validation and allows an unauthenticated remote attacker to execute arbitrary code on the appliance. This vulnerability carries a CVSS 3.1 score of 9.8 (Critical) and has been actively exploited in the wild since June 2022.
Background
Mitel MiVoice Connect is a unified communications platform widely deployed in enterprise environments. The Service Appliance functions as a supporting infrastructure component that handles traffic and management tasks for the broader MiVoice Connect ecosystem. Because these appliances sit at the network edge in many deployments, they represent a high-value target for remote attackers seeking initial access to corporate voice and data networks.
Root Cause
The vulnerability is classified under CWE-20: Improper Input Validation. The Service Appliance component fails to adequately validate incoming data before processing it. This validation gap permits malformed or unexpected input to reach internal execution paths, ultimately leading to arbitrary code execution on the appliance. Inadequate sanitization of user-controllable input is a recurring pattern in this class of vulnerability and highlights the importance of strict input validation at trust boundaries.
Impact
The CVSS 3.1 vector for this flaw is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8 (Critical). The metrics indicate that exploitation is possible over the network, requires no authentication, no user interaction, and no privileges. The impact on confidentiality, integrity, and availability is all assessed as High. Successful exploitation grants the attacker complete control over the appliance, with potential for lateral movement into the broader MiVoice Connect environment and adjacent enterprise networks.
The Exploit Prediction Scoring System (EPSS) score of 0.56967 places this vulnerability in the 98.95th percentile, indicating a very high probability of exploitation. In addition, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this CVE to the Known Exploited Vulnerabilities (KEV) catalog on 27 June 2022, confirming in-the-wild exploitation.
Exploitation Walkthrough
Exploitation of this vulnerability typically involves sending a specially crafted request to the Service Appliance that bypasses its input validation routines. The attacker targets the exposed network service responsible for handling appliance management or related functions. Because no authentication is required, the attack can be launched from any network position that can reach the appliance.
Ethics Notice: The following information is provided for defensive purposes only. Organizations should use it to develop detection rules and prioritize patching, not to attempt unauthorized access to systems they do not own or administer.
A successful attack sequence generally follows this pattern:
- The attacker identifies an exposed Mitel Service Appliance on the target network, commonly over TCP ports used for appliance management.
- A crafted payload is delivered to the vulnerable endpoint, taking advantage of the missing or incorrect data validation.
- The payload is processed by the appliance, leading to remote code execution with the privileges of the service process.
- From the compromised appliance, the attacker may extract credentials, deploy persistent access mechanisms, or pivot to other systems within the voice infrastructure.
Defenders should monitor for unusual connections to Service Appliances from external or unexpected internal sources, as well as anomalous process execution or outbound network activity originating from these devices.
Affected and Patched Versions
The following products and versions are confirmed vulnerable:
- Mitel MiVoice Connect through 19.2 SP3
- Mitel Service Appliance SA 100
- Mitel Service Appliance SA 400
- Mitel Virtual Service Appliance
The vendor has released patched versions and security guidance via Mitel Product Security Advisory 22-0002. Organizations should consult the vendor advisory to confirm the exact patched release for their specific deployment.
Remediation
- Apply Vendor Patches: Upgrade Mitel MiVoice Connect and Service Appliances to a patched version as recommended in Mitel Product Security Advisory 22-0002. This is the primary remediation step.
- Network Segmentation: Restrict network access to Service Appliances so that they are reachable only from authorized management subnets. Avoid exposing them directly to the internet or untrusted networks.
- Firewall Rules: Implement strict ingress and egress firewall rules on the network segments hosting Service Appliances. Block unnecessary outbound connections that could facilitate post-exploitation activity.
- Compensating Controls: If immediate patching is not feasible, place the appliance behind a reverse proxy or VPN gateway that enforces authentication before traffic reaches the device. Be aware that this does not eliminate the underlying vulnerability.
Detection
Security teams should prioritize detection efforts given the confirmed active exploitation. Recommended detection strategies include:
- Network Monitoring: Alert on unexpected inbound connections to Service Appliances, especially from external IP ranges or non-administrative subnets.
- Endpoint and Appliance Logging: Monitor for abnormal process spawning, command execution, or file modifications on SA 100, SA 400, and Virtual SA systems.
- Threat Intelligence Feeds: Leverage signatures and indicators of compromise (IoCs) associated with CVE-2022-29499 from reliable threat intelligence sources.
- Vulnerability Scanning: Regularly scan the environment for unpatched Mitel Service Appliances and track remediation progress.
Assessment
CVE-2022-29499 represents a critical, easily exploitable vulnerability in widely deployed enterprise communications infrastructure. The combination of a 9.8 CVSS score, a 0.57 EPSS probability, and confirmed KEV inclusion makes this a high-priority patching item for any organization running affected Mitel Service Appliances. The primary lesson for the industry is the severe risk posed by missing input validation at network-facing endpoints: even a single validation oversight can lead to unauthenticated remote code execution with full system compromise. A secondary lesson is the importance of timely vendor disclosure and CISA KEV tracking, which together enable defenders to rapidly prioritize the most dangerous flaws.
References
Frequently asked questions
- What is CVE-2022-29499?
- The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.
- How severe is CVE-2022-29499?
- CVE-2022-29499 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-29499 being actively exploited?
- Yes. CVE-2022-29499 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-06-27, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-29499?
- CVE-2022-29499 affects Mitel Mivoice Connect. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-29499?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-29499 have an EU (EUVD) identifier?
- Yes. CVE-2022-29499 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-33836. It is also flagged as exploited in the EUVD (since 2022-06-27).
- When was CVE-2022-29499 published?
- CVE-2022-29499 was published on 2022-04-26 and last updated on 2026-06-17.
References
- https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0002
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-29499
Affected products (1)
- cpe:2.3:a:mitel:mivoice_connect:*:*:*:*:*:*:*:*
More vulnerabilities in Mitel Mivoice Connect
- CVE-2023-32748 — Critical (CVSS 9.8): The Linux DVS server component of Mitel MiVoice Connect through 19.3 SP2 (22.24.1500.0) could allow an unauthenticated…
- CVE-2023-31458 — Critical (CVSS 9.8): A vulnerability in the Edge Gateway component of Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier…
- CVE-2023-31457 — Critical (CVSS 9.8): A vulnerability in the Headquarters server component of Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and…
- CVE-2020-10211 — Critical (CVSS 9.8): A remote code execution vulnerability in UCB component of Mitel MiVoice Connect before 19.1 SP1 could allow an…
- CVE-2023-31459 — High (CVSS 8.8): A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect versions 9.6.2208.101 and earlier…
- CVE-2023-39289 — High (CVSS 7.5): A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2208.101 could allow an…
All CVEs affecting Mitel Mivoice Connect →
Other CWE-20 (Improper Input Validation) vulnerabilities
- CVE-2026-48316 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48055 — Critical (CVSS 10.0): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and…
- CVE-2026-34910 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS…
- CVE-2026-33587 — Critical (CVSS 10.0): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and…
Browse all CWE-20 (Improper Input Validation) vulnerabilities →