Mitel Issues Critical Security Advisory for PHP Argument Injection Vulnerability
Mitel, a global leader in business communications solutions, has issued two critical security advisories warning users of a severe vulnerability in the PHP scripting engine. The vulnerability, identified as CVE-2024-4577 (CVSS 9.8), affects PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8, when used with Apache and PHP-CGI on Windows systems.
The flaw arises from how Windows handles certain string characters in PHP-CGI setups. Under specific conditions, an attacker can inject malicious commands into the PHP binary, revealing sensitive information or executing arbitrary code. The vulnerability is particularly concerning as it can be exploited remotely, without requiring any prior authentication.
The vulnerability affects several Mitel products, including:
- OpenScape Voice Trace Manager: Versions V8.R0.9.13 and earlier
- MiContact Center Enterprise: Versions 9.7 SP1 and earlier
- Mitel CMG Suite: Versions 9.0 and earlier
If exploited, attackers could gain unauthorized access to these systems, potentially leading to data breaches, service disruptions, and financial losses.
Mitel strongly recommends immediate action to mitigate the risk:
- OpenScape Voice Trace Manager: Update to version V8.R0.9.14 or later.
- General Workarounds:
- Operate affected systems within a secure network protected by a firewall.
- Limit public exposure of web interfaces.
- Restrict access to trusted IP addresses.
- Disable remote access to web interfaces and enforce strict change management procedures.
- General Workarounds:
- MiContact Center Enterprise and Mitel CMG Suite: Consult Mitel’s Knowledge Management System (KMS) articles SO8099 and SO8092 for specific instructions.
Multiple threat actors are actively exploiting this vulnerability, highlighting the urgency of applying patches or workarounds. The widespread attacks underscore the severity of the flaw and its potential for widespread disruption.
Mitel customers are urged to take immediate action to safeguard their communications infrastructure. Delaying updates significantly increases the risk of compromise. By following Mitel’s guidance and implementing recommended security practices, organizations can protect their systems and data from malicious actors.
