CVE-2022-29330: Missing access control in the backup system of Telesoft VitalPBX before 3.2.1 allows attackers to access th...
Missing access control in the backup system of Telesoft VitalPBX before 3.2.1 allows attackers to access the PJSIP and SIP extension credentials, cryptographic keys and voicemails files via unspecified vectors.
Security readout for executives and security teams
Plain-English summary
This vulnerability can expose sensitive phone-system backup contents in Telesoft VitalPBX versions before 3.2.1. The named data includes SIP extension credentials, cryptographic keys, and voicemail files. For an organization using VitalPBX, the main risk is compromise of communications infrastructure and sensitive voice data.
Executive priority
Treat this as high priority for any organization using affected VitalPBX versions. The issue targets backup data containing credentials, keys, and voicemails, which can create follow-on communications compromise even without code execution evidence.
Technical view
CVE-2022-29330 is a missing access control issue in the VitalPBX backup system before 3.2.1. The CVE states attackers can access PJSIP and SIP extension credentials, cryptographic keys, and voicemail files via unspecified vectors. Public metadata does not provide CVSS, CWE, CPE, or detailed attack preconditions.
Likely exposure
Exposure is likely limited to organizations running Telesoft VitalPBX before 3.2.1, especially where the backup system is reachable by untrusted users or networks. The source bundle does not identify affected CPEs or deployment conditions.
Exploitation context
The CVE record says access is possible via unspecified vectors. The source bundle does not show CISA KEV listing, active exploitation evidence, public exploit details, or reliable prevalence data.
Researcher notes
The public record is sparse: no CVSS vector, CWE mapping, CPE list, or detailed vector is provided in the bundle. Analysis should avoid assuming authentication state, endpoint paths, or exploit maturity beyond the stated missing access control in backups.
Mitigation direction
Upgrade VitalPBX to 3.2.1 or later where applicable.
Restrict access to VitalPBX backup functions to trusted administrators only.
Rotate SIP extension credentials if backup exposure is suspected.
Review and protect cryptographic keys and voicemail files.
Check vendor guidance for any additional remediation steps.
Validation and detection
Inventory all VitalPBX instances and record installed versions.
Flag any VitalPBX deployment older than 3.2.1.
Review backup-system access permissions and network exposure.
Check logs for unusual backup access or file retrieval.
Confirm credential and key rotation after suspected exposure.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-29330 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
2Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Jun 24, 2022, 15:20 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.