What is Mitel MiVoice Connect?
Mitel MiVoice Connect (formerly ShoreTel) is a unified communications platform providing voice, video, and collaboration services for enterprise environments. Its Service Appliance component is a Linux-based virtual or hardware appliance that handles call processing, voicemail, and other core telephony functions. MiVoice Connect is widely deployed in mid-to-large enterprise and government environments. VoIP infrastructure is increasingly targeted by threat actors because it provides persistent access to communication systems and often resides on networks with less rigorous security monitoring than standard IT systems.
Overview
CVE-2022-29499 is a critical remote code execution vulnerability (CWE-20, CVSS 9.8) in the Mitel MiVoice Connect Service Appliance component arising from incorrect data validation. An unauthenticated remote attacker can send specially crafted HTTP requests to the appliance that bypass input validation checks and trigger arbitrary code execution on the underlying Linux operating system. CrowdStrike published a report in June 2022 documenting a threat actor exploiting this vulnerability to gain persistent access to VoIP appliances as a network beachhead. The ransomwareUse: true designation reflects exploitation by ransomware operators following initial access.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Mitel MiVoice Connect | R14.2 SP1 and earlier | R14.2 SP2 |
Technical Details
The vulnerability (CWE-20: Improper Input Validation) exists in the Service Appliance's web-based management interface. The appliance processes HTTP requests containing data values that control internal operations without properly validating the input format, type, or range boundaries.
An unauthenticated attacker can craft HTTP requests with malformed parameter values that violate the application's assumptions about valid input. The improper validation allows the attacker to manipulate the processing flow — ultimately triggering OS command execution or direct code injection in the appliance's Linux environment.
Exploitation achieves code execution with the privileges of the web server process. Because MiVoice Connect appliances are specialized Linux systems with limited built-in security tooling, maintaining persistent access after initial exploitation is relatively straightforward. CrowdStrike's analysis documented a threat actor establishing a reverse shell and deploying a custom Linux backdoor on the exploited appliance.
Discovery
The vulnerability was discovered and reported to Mitel, which published Security Advisory 22-0005 in April 2022. Active in-the-wild exploitation was first publicly documented by CrowdStrike in June 2022, which described a suspected nation-state-adjacent threat actor (tracked as an unnamed group) using the vulnerability to establish long-term VoIP infrastructure access.
Exploitation Context
Mitel MiVoice Connect appliances are valuable attack targets for multiple threat actor categories:
- Nation-state actors: VoIP infrastructure provides access to enterprise communications, enabling call interception and reconnaissance of the organization's communication patterns
- Ransomware operators: Establishing access to VoIP appliances provides a persistent, often overlooked beachhead for network reconnaissance before deploying ransomware
- Criminal threat actors: VoIP infrastructure may be leveraged for toll fraud or voice phishing (vishing) infrastructure
CrowdStrike's 2022 report documented a threat actor exploiting CVE-2022-29499 to deploy a custom implant on a MiVoice Connect appliance, which was used as a persistent command-and-control (C2) relay for at least several months. The appliance's position inside the enterprise network perimeter and its typically limited security monitoring made it an effective long-term persistence mechanism.
Remediation
- Upgrade to R14.2 SP2: Apply the patch from Mitel per Security Advisory 22-0005.
- Network access restrictions: Limit access to the MiVoice Connect Service Appliance management interface to authorized administrator networks; it should not be internet-accessible.
- Audit for compromise: If the appliance was network-accessible before patching, perform forensic review. Check for unexpected processes, scheduled tasks, SSH authorized keys, and outbound network connections from the appliance.
- Review VoIP network segmentation: Ensure MiVoice Connect appliances reside on a dedicated voice VLAN with limited lateral access to enterprise IT systems.
- Monitor appliance network traffic: Deploy network monitoring for the MiVoice Connect appliance to detect unexpected outbound connections (reverse shells, beaconing to C2 infrastructure).
- Verify firmware integrity: After patching, verify the appliance OS and application files match the expected Mitel-signed versions.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-29499 |
| Vendor / Product | Mitel — MiVoice Connect |
| NVD Published | 2022-04-26 |
| NVD Last Modified | 2025-11-03 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-20 find similar ↗ |
| CISA KEV Added | 2022-06-27 |
| CISA KEV Deadline | 2022-07-18 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-04-19 | Mitel published Security Advisory 22-0005 |
| 2022-04-26 | CVE published |
| 2022-06-10 | CrowdStrike published report on threat actor exploiting CVE-2022-29499 for VoIP appliance persistence |
| 2022-06-27 | CISA added to KEV |
| 2022-07-18 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2022-29499 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Mitel Security Advisory 22-0005 | Vendor Advisory |