CVE-2024-41713 (CVSS 9.8): Unpatched MiCollab Vulnerability Allows Unauthorized Access

by do son · October 10, 2024

MiCollab software - CVE-2024-47223 & CVE-2024-41713

Mitel has issued a critical security advisory addressing a newly discovered vulnerability, CVE-2024-41713, in the MiCollab platform. This path traversal vulnerability, which carries a CVSS score of 9.8, affects the NuPoint Unified Messaging (NPM) component of MiCollab and could allow an unauthenticated attacker to gain unauthorized access to sensitive information and potentially perform administrative actions on the system.

The root of the vulnerability lies in insufficient input validation within the affected component. “A path traversal vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation,” the advisory explains. This flaw can be exploited without requiring authentication, which significantly increases the risk to organizations using the affected product versions.

If successfully exploited, the attacker could gain access to provisioning information, including non-sensitive user and network details, while also being able to execute unauthorized administrative actions on the MiCollab server. The advisory warns that this vulnerability could severely impact the confidentiality, integrity, and availability of the system.

Credit for identifying this vulnerability has been attributed to Sonny Macdonald of watchTowr, whose timely discovery helped bring this critical issue to Mitel’s attention

Mitel has urged all customers using affected versions to update immediately. “Mitel is recommending customers with affected product versions update to the latest release,” the advisory states. Users should upgrade to MiCollab 9.8 SP2 (9.8.2.12) or later to ensure that their systems are protected from this critical vulnerability.

For those unable to upgrade immediately, Mitel has also provided a patch for versions 9.7 and above, offering an alternative solution while ensuring security until a full upgrade can be completed. Detailed instructions for the patch can be found in Mitel’s Knowledge Management System (KMS).

Organizations are encouraged to act swiftly, as leaving systems unpatched could result in unauthorized access and significant operational disruptions.