CISA Warns Mitel MiVoice Connect & IBM Aspera Faspex Vulnerabilities Exploited in Attacks

CVE-2022-41223

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws affecting IBM Aspera Faspex and Mitel MiVoice Connect products to its Known Exploited Vulnerabilities Catalog.

Two security bugs affecting Mitel MiVoice Connect have been added to the list. The MiVoice Connect Client is a single client interface to help you manage your business communications using a desk phone, computer, or mobile device. With support for Microsoft Windows, macOS, and Collaboration for the Web, the MiVoice Connect Client simplifies your day-to-day communications and streamlines your work.

The vulnerabilities, tracked as CVE-2022-41223 and CVE-2022-40765, have been rated ‘medium’ and they can be exploited by a remote authenticated attacker to execute arbitrary code on the system.

A vulnerability has been identified in the Director component of Mitel MiVoice Connect versions 19.3 (22.22.6100.0) and earlier which could allow an authenticated attacker, with internal network access, to execute arbitrary code within the context of the application,” Mitel explained in its advisory for CVE-2022-41223 flaw.

A vulnerability has been identified in the Mitel Edge Gateway component of MiVoice Connect versions 19.3 (22.22.6100.0) and earlier which could allow an authenticated attacker, with internal network access, to execute arbitrary commands within the context of the system,” Mitel wrote in its advisory for CVE-2022-40765 flaw.

The security holes, discovered by researchers Patrick Bennett and Brian Pitchford of CrowdStrike, were patched in October last year.

CISA on Tuesday announced that it has added CVE-2022-47986 to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. However, CISA does not provide information on the attacks exploiting these vulnerabilities.