CVE-2022-29499

CVE-2022-29499 is a critical-severity vulnerability in Mitel Mivoice Connect with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-06-27). The underlying weakness is classified as CWE-20.

Key facts

Description

The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.

CVE-2022-29499: Mitel MiVoice Connect Service Appliance Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2022-29499 is a remote code execution vulnerability in the Service Appliance component of Mitel MiVoice Connect. Affected appliances include the SA 100, SA 400, and Virtual SA. The flaw stems from incorrect data validation and allows an unauthenticated remote attacker to execute arbitrary code on the appliance. This vulnerability carries a CVSS 3.1 score of 9.8 (Critical) and has been actively exploited in the wild since June 2022.

Background

Mitel MiVoice Connect is a unified communications platform widely deployed in enterprise environments. The Service Appliance functions as a supporting infrastructure component that handles traffic and management tasks for the broader MiVoice Connect ecosystem. Because these appliances sit at the network edge in many deployments, they represent a high-value target for remote attackers seeking initial access to corporate voice and data networks.

Root Cause

The vulnerability is classified under CWE-20: Improper Input Validation. The Service Appliance component fails to adequately validate incoming data before processing it. This validation gap permits malformed or unexpected input to reach internal execution paths, ultimately leading to arbitrary code execution on the appliance. Inadequate sanitization of user-controllable input is a recurring pattern in this class of vulnerability and highlights the importance of strict input validation at trust boundaries.

Impact

The CVSS 3.1 vector for this flaw is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8 (Critical). The metrics indicate that exploitation is possible over the network, requires no authentication, no user interaction, and no privileges. The impact on confidentiality, integrity, and availability is all assessed as High. Successful exploitation grants the attacker complete control over the appliance, with potential for lateral movement into the broader MiVoice Connect environment and adjacent enterprise networks.

The Exploit Prediction Scoring System (EPSS) score of 0.56967 places this vulnerability in the 98.95th percentile, indicating a very high probability of exploitation. In addition, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this CVE to the Known Exploited Vulnerabilities (KEV) catalog on 27 June 2022, confirming in-the-wild exploitation.

Exploitation Walkthrough

Exploitation of this vulnerability typically involves sending a specially crafted request to the Service Appliance that bypasses its input validation routines. The attacker targets the exposed network service responsible for handling appliance management or related functions. Because no authentication is required, the attack can be launched from any network position that can reach the appliance.

Ethics Notice: The following information is provided for defensive purposes only. Organizations should use it to develop detection rules and prioritize patching, not to attempt unauthorized access to systems they do not own or administer.

A successful attack sequence generally follows this pattern:

  1. The attacker identifies an exposed Mitel Service Appliance on the target network, commonly over TCP ports used for appliance management.
  2. A crafted payload is delivered to the vulnerable endpoint, taking advantage of the missing or incorrect data validation.
  3. The payload is processed by the appliance, leading to remote code execution with the privileges of the service process.
  4. From the compromised appliance, the attacker may extract credentials, deploy persistent access mechanisms, or pivot to other systems within the voice infrastructure.

Defenders should monitor for unusual connections to Service Appliances from external or unexpected internal sources, as well as anomalous process execution or outbound network activity originating from these devices.

Affected and Patched Versions

The following products and versions are confirmed vulnerable:

  • Mitel MiVoice Connect through 19.2 SP3
  • Mitel Service Appliance SA 100
  • Mitel Service Appliance SA 400
  • Mitel Virtual Service Appliance

The vendor has released patched versions and security guidance via Mitel Product Security Advisory 22-0002. Organizations should consult the vendor advisory to confirm the exact patched release for their specific deployment.

Remediation

  1. Apply Vendor Patches: Upgrade Mitel MiVoice Connect and Service Appliances to a patched version as recommended in Mitel Product Security Advisory 22-0002. This is the primary remediation step.
  2. Network Segmentation: Restrict network access to Service Appliances so that they are reachable only from authorized management subnets. Avoid exposing them directly to the internet or untrusted networks.
  3. Firewall Rules: Implement strict ingress and egress firewall rules on the network segments hosting Service Appliances. Block unnecessary outbound connections that could facilitate post-exploitation activity.
  4. Compensating Controls: If immediate patching is not feasible, place the appliance behind a reverse proxy or VPN gateway that enforces authentication before traffic reaches the device. Be aware that this does not eliminate the underlying vulnerability.

Detection

Security teams should prioritize detection efforts given the confirmed active exploitation. Recommended detection strategies include:

  • Network Monitoring: Alert on unexpected inbound connections to Service Appliances, especially from external IP ranges or non-administrative subnets.
  • Endpoint and Appliance Logging: Monitor for abnormal process spawning, command execution, or file modifications on SA 100, SA 400, and Virtual SA systems.
  • Threat Intelligence Feeds: Leverage signatures and indicators of compromise (IoCs) associated with CVE-2022-29499 from reliable threat intelligence sources.
  • Vulnerability Scanning: Regularly scan the environment for unpatched Mitel Service Appliances and track remediation progress.

Assessment

CVE-2022-29499 represents a critical, easily exploitable vulnerability in widely deployed enterprise communications infrastructure. The combination of a 9.8 CVSS score, a 0.57 EPSS probability, and confirmed KEV inclusion makes this a high-priority patching item for any organization running affected Mitel Service Appliances. The primary lesson for the industry is the severe risk posed by missing input validation at network-facing endpoints: even a single validation oversight can lead to unauthenticated remote code execution with full system compromise. A secondary lesson is the importance of timely vendor disclosure and CISA KEV tracking, which together enable defenders to rapidly prioritize the most dangerous flaws.

References

Frequently asked questions

What is CVE-2022-29499?
The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.
How severe is CVE-2022-29499?
CVE-2022-29499 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-29499 being actively exploited?
Yes. CVE-2022-29499 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-06-27, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-29499?
CVE-2022-29499 affects Mitel Mivoice Connect. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2022-29499?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-29499 have an EU (EUVD) identifier?
Yes. CVE-2022-29499 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-33836. It is also flagged as exploited in the EUVD (since 2022-06-27).
When was CVE-2022-29499 published?
CVE-2022-29499 was published on 2022-04-26 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Mitel Mivoice Connect

All CVEs affecting Mitel Mivoice Connect →

Other CWE-20 (Improper Input Validation) vulnerabilities

Browse all CWE-20 (Improper Input Validation) vulnerabilities →