In the world of VoIP hardware, business phones are often considered “set and forget,” quietly connecting our calls without much thought. However, some devices harbor hidden dangers—even years after deployment. One such case is CVE-2022-29855, a vulnerability found in certain Mitel SIP phone models (680 and 690 series) that exposes the devices to unauthorized root access through secret test functions. This post will break down what this vulnerability is, how attackers can exploit it, and what users can do to stay safe.
What is CVE-2022-29855?
CVE-2022-29855 is a security flaw in Mitel’s 680 and 690 Series SIP phones (except the 697 model), affecting versions:
6. (6...368) through 6.1 HF4 (6.1..165)
The problem lies in “undocumented functionality.” Essentially, there is a hidden startup test mode—originally meant only for device diagnostics or factory use—that lacks proper access controls.
*In plain terms*
If someone has physical access to the phone, they can trigger this secret function as the device boots up. No special authentication is needed (meaning you don’t need passwords or admin rights), and attackers can gain root (full) access to the phone’s operating system.
Use the phone as a launch point for deeper enterprise attacks
*Physical access* is required (like being in your office or at a public desk), but many workplaces have phones in common or unsecured areas.
The vulnerability only requires the attacker to be physically present.
- During system startup, the phone doesn’t enforce checks on who is accessing hidden diagnostic/test features.
- Entering a special key sequence or connecting to certain internal interfaces during boot gives the attacker a root shell (command prompt).
Unplug the device and plug it back in to reboot.
2. Trigger Test/Undocumented Mode
- During early boot, press and hold a specific key combination on the device keypad (public documentation is scarce for ethical reasons, but advisories confirm this is possible).
The phone enters its “test mode,” giving inside access.
3. Connect to Serial/Console Interface (optional)
- Some Mitel models expose serial console ports internally, making it easier for attackers with a USB-to-TTL adapter or similar hardware.
Obtain Root Shell
- The attacker now has root access—possibly directly on the phone’s display, or via a serial console.
Attacker connects via serial or enters test mode
$ getty /dev/ttyS
Attacker now has root shell
root@mitel680:~# cat /etc/shadow
Dump hashes, config, etc.
root@mitel680:~# cp /var/config/phone.cfg /usb/
`
*Note: Actual interface names and steps vary by phone series, but the principle remains the same.*
Mitel Security Advisory:
Mitel Security Bulletin – CVE-2022-29855
NIST NVD Entry:
SecurityFocus Bugtraq:
How to Protect Yourself
Mitel has released patched firmware that closes this test functionality hole. If you manage or use these phones:
Download and Apply the Latest Update
Mitel’s Phone Firmware Downloads
Place devices in secure areas.
- Limit USB/console access where possible.
Conclusion
CVE-2022-29855 shines a spotlight on how “undocumented” OEM backdoors and test features can spell disaster for users if not properly controlled. Even hardened enterprise equipment can become a soft spot if attackers have physical access. Review your VoIP endpoints, patch now, and never assume hardware is foolproof.
Stay safe, and keep your devices up to date!
*(This post was written exclusively for educational and defensive purposes. For further details and official fixes, always check the vendor advisories.)*
Timeline
Published on: 05/11/2022 20:15:00 UTC
Last modified on: 06/20/2022 19:15:00 UTC