Vulnerability Details : CVE-2022-26143
Potential exploit
The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack.
Vulnerability category: Denial of service
Products affected by CVE-2022-26143
- cpe:2.3:a:mitel:micollab:*:*:*:*:*:-:*:*
- cpe:2.3:a:mitel:micollab:9.4:-:*:*:*:-:*:*
- cpe:2.3:a:mitel:micollab:9.4:sp1:*:*:*:-:*:*
- cpe:2.3:a:mitel:mivoice_business_express:*:*:*:*:*:*:*:*
CVE-2022-26143 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
MiCollab, MiVoice Business Express Access Control Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
A vulnerability has been identified in MiCollab and MiVoice Business Express that may allow a malicious actor to gain unauthorized access to sensitive information and services, cause performance degradations or a denial of service condition on the affected system.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2022-26143
Added on
2022-03-25
Action due date
2022-04-15
Exploit prediction scoring system (EPSS) score for CVE-2022-26143
64.77%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-26143
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.0
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:C |
10.0
|
8.5
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-01-29 |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-26143
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-26143
-
https://www.akamai.com/blog/security/phone-home-ddos-attack-vector
Access DeniedMitigation;Third Party Advisory
-
https://blog.cloudflare.com/cve-2022-26143/
Just a moment...Mitigation;Third Party Advisory
-
https://team-cymru.com/blog/2022/03/08/record-breaking-ddos-potential-discovered-cve-2022-26143/
Record breaking DDoS Potential Discovered: CVE-2022-26143 - Team CymruMitigation;Third Party Advisory;Broken Link
-
https://www.shadowserver.org/news/cve-2022-26143-tp240phonehome-reflection-amplification-ddos-attack-vector/
CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector | The Shadowserver FoundationMitigation;Third Party Advisory
-
https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0001
Mitel Product Security Advisory 22-0001Vendor Advisory
-
https://news.ycombinator.com/item?id=30614073
TP240PhoneHome Reflection/Amplification DDoS Attack Vector | Hacker NewsIssue Tracking;Third Party Advisory
-
https://arstechnica.com/information-technology/2022/03/ddosers-use-new-method-capable-of-amplifying-traffic-by-a-factor-of-4-billion/
New method that amplifies DDoSes by 4 billion-fold. What could go wrong? | Ars TechnicaExploit;Press/Media Coverage;Third Party Advisory
Jump to