Mitel SIP phones experienced a variant of Mirai-based Aquabotv3 botnet attack, targeting a vulnerability (CVE-2024-41710) across several models, including the 6970 Conference Unit up to firmware version R6.4.0.HF1. This attack allowed Aquabotv3 to recruit the phones into a DDoS botnet potentially disrupting communications. Mitel had issued firmware updates to address this issue, but the emergence of PoC exploit code and subsequent attack highlights the ongoing threat to IoT devices. The attack could lead to operational disruptions and compromise the confidentiality and integrity of communications.

The Lorenz ransomware gang used a critical vulnerability in Mitel MiVoice VOIP appliances to breach enterprises, using their phone systems for initial access to their corporate networks. Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, and obtained a reverse shell and subsequently used Chisel as a tunnelling tool to pivot into the environment. These devices are used by organizations in critical sectors worldwide (including government agencies), with over 19,000 devices currently exposed to attacks over the Internet. Though Mitel has addressed the vulnerability by releasing security patches in early June 2022 after releasing a remediation script for affected MiVoice Connect versions in April, the threat actors recently exploited other security flaws impacting Mitel devices in record-breaking DDoS amplification attacks.