Severe Security Breach: Mitel MiCollab Vulnerability Enables Unauthorized System Control

Severe Security Breach: Mitel MiCollab Vulnerability Enables Unauthorized System Control

A critical security vulnerability (CVE-2024-41713, CVSS 9.8) has been discovered in Mitel MiCollab’s NuPoint Unified Messaging component. The flaw allows path traversal attacks due to insufficient input validation.

Key Points:

– MiCollab integrates chat, voice, video, and SMS messaging with Microsoft Teams

– The vulnerability enables unauthorized access to sensitive files without authentication

– Attackers can exploit it by using “..;/” in HTTP requests to the ReconcileWizard component

– The flaw can be combined with an unpatched file read vulnerability for greater impact

Security Updates:

– Fixed in MiCollab version 9.8 SP2 (9.8.2.12) released October 9, 2024

– Additional SQL injection vulnerability (CVE-2024-47223, CVSS 9.4) also patched

– Earlier vulnerability CVE-2024-35286 was patched in version 9.8 SP1

Potential Impact:

– Unauthorized system access

– Exposure of sensitive information

– Compromise of system confidentiality and integrity

– Unauthorized administrative actions

Related Development:

Rapid7 identified similar vulnerabilities in Lorex 2K Indoor Wi-Fi Security Cameras (CVE-2024-52544 through CVE-2024-52548), potentially allowing remote code execution.

Share This Article