CVE-2024-41714 (CVSS 9.9): Command Injection Flaw Discovered in Mitel MiCollab and MiVB SVI

by do son · July 29, 2024

Mitel, a leading provider of business communication solutions, has issued a critical security advisory (24-0021-001) regarding a command injection vulnerability (CVE-2024-41714) found in the MiCollab Client Server of its MiCollab and MiVB SVI products. This vulnerability could allow an attacker to execute arbitrary commands with elevated privileges, potentially compromising the confidentiality, integrity, and availability of the affected systems.

Vulnerability Details

The vulnerability stems from insufficient validation of user input, enabling an authenticated attacker to inject malicious commands into the MiCollab Client Server. Successful exploitation could grant the attacker extensive control over the system, leading to severe consequences.

Affected Products

The following Mitel products are affected by the CVE-2024-41714 vulnerability:

MiCollab 9.8 SP1 (9.8.1.5) and earlier
MiVB SVI 1.0.0.27 and earlier

Severity and Risk

Mitel has rated the vulnerability as “Critical,” with a CVSS v3.1 score of 9.9. This indicates a high risk of exploitation and potential for significant damage.

Mitigation and Solution

Mitel strongly recommends that customers with affected product versions upgrade to the following versions or later:

MiCollab 9.8 SP1 FP1 (9.8.1.108)

For MiCollab 9.7 SP2, Mitel has provided a script as an alternative solution. Detailed instructions on applying the mitigation measures can be found in the Mitel Knowledge Base article SO8132.

Urgency of Action

Due to the critical nature of this vulnerability, users of affected Mitel products must take immediate action. Applying the recommended upgrades or mitigation steps is essential to protect against potential exploitation and safeguard the security of communication systems.