What is Mitel MiVoice Connect?
Mitel MiVoice Connect (formerly ShoreTel) is an enterprise unified communications platform providing voice, messaging, and collaboration for business telephony. The platform includes multiple components: the Director (management), the Edge Gateway (network-facing VoIP gateway), and Connect clients. Because MiVoice Connect systems are often network-accessible for remote workers and VoIP routing, vulnerabilities in edge-facing components can provide initial network access in ransomware attack chains. See also CVE-2022-41223 for the related code injection vulnerability in the Director component.
Overview
CVE-2022-40765 is a command injection vulnerability (CWE-77) in the Mitel MiVoice Connect Edge Gateway component. An authenticated attacker with internal network access and admin-level credentials can inject OS commands that execute within the system context of the Edge Gateway. CISA added both CVE-2022-40765 and CVE-2022-41223 to KEV on the same day following confirmed ransomware exploitation.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| MiVoice Connect | ≤ 19.3 SP2 (22.24.1500.0) | 19.3 SP3 |
Technical Details
The Edge Gateway component in MiVoice Connect does not properly sanitize user-supplied input before passing it to underlying OS command execution (CWE-77). An authenticated administrator can submit crafted requests to the Edge Gateway management interface that include command injection sequences.
- Attack vector: Adjacent — attacker must be on the internal network or have access to the MiVoice management interface
- Authentication required: High — admin-level credentials
- Impact: Arbitrary command execution on the Edge Gateway appliance as a system-level user
- Ransomware use: Threat actors obtained MiVoice credentials (via phishing, credential stuffing, or other means) then used this and CVE-2022-41223 to establish persistence and lateral movement capabilities before deploying ransomware
Discovery
Reported to Mitel and disclosed via coordinated advisory.
Exploitation Context
CISA's February 2023 KEV addition reflects confirmed ransomware exploitation. MiVoice Connect devices are attractive targets because they are often network-accessible with less scrutiny than core IT infrastructure, yet they may hold credentials and provide network access that facilitates lateral movement into broader enterprise environments.
Remediation
- Upgrade MiVoice Connect to version 19.3 SP3 or later
- Restrict access to the MiVoice Connect management interface to trusted internal IPs and VPN-connected administrators only
- Rotate all MiVoice Connect administrative credentials
- Review access logs for unauthorized administrator logins and unusual command activity
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-40765 |
| Vendor / Product | Mitel — MiVoice Connect |
| NVD Published | 2022-11-22 |
| NVD Last Modified | 2025-11-03 |
| CVSS 3.1 Score | 6.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Severity | MEDIUM |
| CWE | CWE-77 find similar ↗ |
| CISA KEV Added | 2023-02-21 |
| CISA KEV Deadline | 2023-03-14 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-11-22 | Mitel publishes security advisory; CVE published |
| 2023-02-21 | Added to CISA Known Exploited Vulnerabilities catalog (alongside CVE-2022-41223) |
| 2023-03-14 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Mitel Security Advisory MSA-22-0007 | Vendor Advisory |
| NVD — CVE-2022-40765 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |