Researchers Reveal Backdoor Rooting in Mitel Enterprise IP Phones


Cybersecurity researchers have revealed details of two medium-security flaws in Mitel 6800/6900 desk phones that, if exploited successfully, could allow an attacker to gain root privileges on the devices.

Tracked as CVE-2022-29854 and CVE-2022-29855 (CVSS score: 6.8), the access control issues were discovered by German penetration testing company SySS, after which patches were shipped in May 2022.

“This undocumented backdoor allows an attacker with physical access to a vulnerable desk phone to gain root access by pressing specific keys during system startup and then connecting as a root user to a offered Telnet service,” said SySS researcher. Matthias Deeg in a statement. shared with The Hacker News.

Specifically, the issue relates to a previously unknown functionality present in a shell script (“”) in the phones firmware that is designed to run at system startup.

“The shell script ‘’, located in the ‘/etc’ directory on the phone, checks whether the ‘*’ and ‘#’ keys are pressed simultaneously during system startup,” the researchers say. said† The phone then sets its IP address to ‘10.30.102’[.]102′ and start a Telnet server. A Telnet login can then be performed with a static root password.”

Successful exploitation of the flaws can allow access to sensitive information and code execution. The vulnerabilities affect 6800 and 6900 series SIP phones with the exception of the 6970 model.

Users of affected models are advised to update to the last firmware to mitigate any potential risk arising from exploiting the privilege escalation attack.

This is not the first time such backdoor features have been discovered in telecommunications-related firmware. In December 2021, RedTeam Pentesting revealed two such bugs in Auerswald’s VoIP devices that can be exploited to gain full administrative access to the devices.