CVE-2022-26143

What is Mitel MiCollab / MiVoice Business Express?

Mitel MiCollab and MiVoice Business Express are enterprise unified communications platforms providing VoIP telephony, conferencing, messaging, and collaboration services. They are deployed by businesses as on-premises telephone systems. The platforms incorporate the TP-240 (also called TP-240/MiVoice Call Controller) telephony processing card, which handles real-time audio processing for VoIP calls. This card runs a UDP-based testing service that became the attack vector for this CVE.

Overview

CVE-2022-26143 is a missing authentication vulnerability (CWE-306) in the TP-240 telephony card present in Mitel MiCollab and MiVoice Business Express systems. An unauthenticated attacker who can reach the TP-240 testing service over UDP can invoke a test mode that sends a continuous stream of UDP packets toward an arbitrary IP address — effectively using the Mitel appliance as a high-bandwidth DDoS amplifier. Researchers dubbed this "TP240PhoneHome." The amplification ratio is approximately 4 billion to 1, making it one of the highest amplification factors ever discovered for any DDoS vector. CVSS 9.8.

Affected Versions

Technical Details

The TP-240 card includes a UDP-based diagnostic/test service (port 10074) that was intended for internal testing only but was left accessible without authentication. The service has a command that begins a flood test — transmitting a continuous stream of UDP packets. When invoked by an attacker who spoofs the victim's IP as the source, the Mitel appliance floods the victim with high-bandwidth UDP traffic.

The extraordinary amplification factor (~4,294,967,296:1) occurs because:

1. The attacker sends a small triggering packet to the TP-240 test service
2. The service responds by transmitting a very large number of packets toward the spoofed source IP
3. The ratio of attacker traffic sent vs. victim traffic received is approximately 4 billion to one

Akamai's research identified ~2,600 internet-accessible Mitel systems with the TP-240 service exposed. While each individual device provides limited bandwidth, coordinated use of multiple devices can generate significant DDoS traffic.

Discovery

Discovered by researchers at Shadowserver Foundation and Akamai Security Intelligence, who observed the novel DDoS vector being used in active attacks and published coordinated research in March 2022.

Exploitation Context

At the time of discovery, active DDoS attacks using this vector had already been observed, with peak attack sizes reported around 53 Gbps from a single Mitel system. The technique was actively used by DDoS-for-hire services and extortion groups. While primarily a DDoS tool, the unauthenticated access to the telephony system also exposes call records, voicemail, and communication infrastructure.

Organizations with Mitel systems exposed to the internet (common for remote worker telephony access) were weaponized against third-party victims without their knowledge.

Remediation

1. Apply Mitel patch: Update to MiVoice Business Express / MiCollab firmware version 10.3 SP2 or later, which disables the unauthenticated TP-240 test service.
2. Firewall UDP port 10074: Block inbound and outbound access to UDP port 10074 on the TP-240 card immediately as an emergency measure before patching.
3. Restrict internet exposure: Mitel telephony systems should not have their diagnostic/management ports internet-accessible. Use SIP trunks with SBC (Session Border Controllers) rather than direct internet exposure.
4. Check for abuse: If your Mitel system was internet-accessible, check network logs for high-volume outbound UDP traffic to unfamiliar IP addresses — this would indicate your system was used as a DDoS reflector.
5. Network egress monitoring: Implement egress traffic monitoring for all VoIP infrastructure — unusual outbound UDP flood traffic is an indicator of compromise or misuse.