Rooting Mitel Desk Phones Through the Backdoor (CVE-2022-29854, CVE-2022-29855)

In this PoC video, SySS IT security expert Moritz Abrell demonstrates a privilege escalation attack with physical access to a vulnerable Mitel Desk Phone.

Due to an undocumented backdoor in different firmware versions of several Mitel phones, an attacker can gain root access by pressing specific keys on system boot, and then connect to a provided Telnet service as root.

This reported security issue has already been fixed by Mitel, so that this demonstrated privilege escalation attack is not successful anymore when using current firmware versions. The assigned CVE IDs concerning the demonstrated security issue are CVE-2022-29854 [2] and CVE-2022-29855 [3].

Moritz Abrell has also written a short SySS Tech Blog article about the demonstrated security vulnerability [4].

[1] SySS Security Advisory SYSS-2022-021
https://www.syss.de/fileadmin/dokumen...

[2] CVE-2022-29854
https://nvd.nist.gov/vuln/detail/CVE-...

[3] CVE-2022-29855
https://nvd.nist.gov/vuln/detail/CVE-...

[4] SySS Tech Blog article: Rooting Mitel Desk Phones Through the Backdoor
https://blog.syss.com/posts/rooting-m...

#mitel #security #vulnerability