Threat Advisory

Critical Flaw in Mitel MiCollab Allow Unauthorized File Access

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High

EXECUTIVE SUMMARY:

A zero-day vulnerability has been discovered in Mitel MiCollab, enabling attackers to access sensitive files on the server's filesystem via a path traversal exploit in the 'ReconcileWizard' servlet. The flaw, uncovered by researchers remains unpatched after being reported to Mitel months ago, leaving users exposed. Although the vulnerability is less critical than previous flaws, it still poses a significant risk as unauthorized users can access sensitive files like '/etc/passwd'.

 

  • CVE-2024-35286: An SQL injection vulnerability in Mitel MiCollab, with a CVSS score of 7.5, which allowed attackers to execute arbitrary SQL commands.

 

  • CVE-2024-41713: An authentication bypass vulnerability, with a CVSS score of 8.0, which allowed unauthorized users to bypass authentication mechanisms and access sensitive areas of the platform.

 

The vulnerability in Mitel MiCollab poses a significant risk due to its potential to expose sensitive system files. Users should apply the latest security updates to mitigate this threat.

RECOMMENDATION:

  • We strongly recommend you update Mitel MiCollab to versions 9.8 SP2 (9.8.2.12) or later.

REFERENCES:

The following reports contain further technical details:
https://www.bleepingcomputer.com/news/security/mitel-micollab-zero-day-flaw-gets-proof-of-concept-exploit/

crossmenu