Critical Security Advisory: Mitel MiCollab Vulnerabilities Exposed (CVE-2024-35285 & CVE-2024-35286)
In an urgent security advisory, Mitel has warned users of its MiCollab communications platform to immediately patch critical vulnerabilities that could expose their systems to remote attacks. The vulnerabilities, tracked as CVE-2024-35285 and CVE-2024-35286, have been assigned the highest severity rating of 9.8 on the Common Vulnerability Scoring System (CVSS).
Command Injection and SQL Injection Attacks
The first vulnerability, CVE-2024-35285, is a command injection flaw within the NuPoint Unified Messaging component of Mitel MiCollab. This vulnerability arises from insufficient parameter sanitization, allowing an unauthenticated attacker to inject and execute arbitrary commands within the system’s context. The potential impact of this vulnerability is profound, with attackers being able to compromise the system’s confidentiality, integrity, and availability.
The second vulnerability, CVE-2024-35286, is a SQL injection flaw, also within the NuPoint Unified Messaging component of Mitel MiCollab. This vulnerability is due to inadequate sanitization of user inputs, permitting an unauthenticated attacker to perform SQL injection attacks. Exploiting this vulnerability could enable attackers to access sensitive information and execute arbitrary database and management operations, thereby posing a severe threat to the system’s data security.
Who is Affected?
The vulnerabilities affect Mitel MiCollab versions 9.8.0.33 and earlier. Mitel has released patches for both vulnerabilities in MiCollab 9.8 SP1 (9.8.1.5) and later.
Available Solutions
Mitel has addressed these vulnerabilities in the latest update. Users are strongly advised to upgrade to MiCollab 9.8 SP1 (9.8.1.5) or later versions to mitigate the risks associated with these vulnerabilities. The update includes critical patches that enhance parameter sanitization and input validation to prevent both command injection and SQL injection attacks.
