Lorenz ransomware's way in was the phone system
In 2022, Lorenz ransomware breached corporate networks through a Mitel MiVoice Connect appliance, the VoIP system, using CVE-2022-29499 as a zero-day. Telephony and unified-comms appliances are edge servers running web code, and almost nobody treats them that way.
When the Lorenz ransomware group needed initial access to corporate networks in mid-2022, they didn’t go through the VPN or the email server. They went through the phone system. CrowdStrike documented Lorenz exploiting CVE-2022-29499, a data-validation flaw in the Mitel MiVoice Connect Service Appliance, as a zero-day to get a foothold, then pivoting into the network from there. It’s one of three Mitel MiVoice Connect bugs in the catalog, alongside CVE-2022-40765 and CVE-2022-41223, and together they make a point security teams routinely miss: the VoIP appliance is an internet-facing server running web code, and it’s almost never defended like one.
The bugs
- CVE-2022-29499 is the headline: a data-validation flaw in the Service Appliance component of MiVoice Connect that allowed remote code execution. Lorenz used it pre-disclosure as a zero-day, reaching the appliance over the internet and using it as the entry point for a network intrusion that ended in ransomware.
- CVE-2022-40765 (command injection) and CVE-2022-41223 (code injection) are additional MiVoice Connect flaws that allow code execution by an attacker with access, expanding the appliance’s exploitable surface.
CISA lists all three with the ransomware flag.
Why telephony appliances are an overlooked foothold
VoIP and unified-communications platforms occupy a blind spot. They’re sold and managed as “the phone system,” a facilities-adjacent utility, not as IT infrastructure, yet a modern UC appliance is a Linux server running web applications, with network reach into the enterprise. Several things conspire to leave them exposed:
- They’re internet-facing for remote and SIP connectivity, so the management and service components are reachable.
- They’re owned by telecom/facilities, not security. Patching, monitoring, and network placement often fall outside the security team’s inventory and change processes entirely.
- They have network reach. A phone system has to talk to a lot of the network, so a foothold on it is a useful pivot, exactly what Lorenz used it for.
The result is a privileged, internet-facing, network-connected server that nobody on the security side is watching, which is an ideal initial-access target. The lesson generalizes to any “appliance” that’s really a server, building-management systems, conferencing gear, badge/physical-access controllers: if it runs code and touches the network, it’s IT attack surface regardless of which department bought it.
What to do
- Patch Mitel MiVoice Connect to fixed versions for all three CVEs. Treat UC/VoIP appliance patches as security patches, on the security team’s cadence.
- Get the appliance’s management and service interfaces off the open internet. Restrict them to the networks that genuinely need them; expose only what SIP/telephony strictly requires, and front the rest with access controls.
- Inventory your telephony and “facilities” appliances as IT assets. Bring VoIP, conferencing, building-management, and similar devices into your asset inventory, patch program, and monitoring. You can’t defend what you’ve mentally filed under “not IT.”
- Segment them. A phone-system appliance shouldn’t have a flat path to your servers and data. Isolate the UC network so a compromised appliance is contained.
- Assume compromise on long-exposed, unpatched appliances, and hunt for the appliance spawning shells, unexpected outbound connections, and lateral movement originating from the VoIP segment.
The reframe is to expand your definition of “server” to include the appliances other departments own. Lorenz proved that the phone system is a viable path to ransomware, because it’s an internet-facing server that the security team wasn’t looking at. Inventory your UC and facilities appliances, patch and segment them like the IT infrastructure they are, and stop letting “it’s just the phone system” keep a network-connected, internet-facing server out of your defenses. We flag the telephony and appliance entries because they’re the footholds that hide in the org chart’s blind spots.
Sources
Share
Related field notes
-
Your attack surface isn't just port 443
CVE-2023-46604 is a perfect-10 RCE in Apache ActiveMQ. The exploit isn't a web request; it's a single message to the broker on port 61616, a port most web-focused scanning and firewalling never considers. The broker then fetches a remote XML file and runs whatever's in it.
-
Insecure deserialization isn't a Java problem. Ask Ruby's YAML.load.
CVE-2022-47986 is a pre-auth RCE in IBM Aspera Faspex from a single call to YAML.load on data an unauthenticated user controls. It's the Ruby version of the deserialization footgun, and ransomware crews used it to move onto Linux.
-
BlueKeep: the wormable RDP bug Microsoft patched Windows XP for
CVE-2019-0708 was a pre-authentication, wormable RCE in Windows Remote Desktop. Microsoft was scared enough of a WannaCry repeat that it shipped patches for end-of-life XP and Server 2003. The worm never fully came, but the lesson did: RDP doesn't belong on the internet.
One email, every weekday morning.
You're in. Check your inbox.