Bypass-Bug lässt kritischen N-Day in Mitel MiCollab wieder aufleben

Teilen:

A single barrier prevented attackers from exploiting a critical vulnerability in an enterprise collaboration platform. Now there’s a workaround.

Two new vulnerabilities in Mitel’s MiCollab unified communications and collaboration (UCC) platform could help expose gobs of enterprise data.

MiCollab is a cross-platform application on mobile devices and desktops that combines instant messaging, SMS, phone calls, video calls, file sharing, remote desktop sharing — really any form of collaboration that occurs within an organization, save talking out loud. Organizations rely on it heavily for day-to-day business operations and, invariably, to house large amounts of personal and communications data.

That’s what made CVE-2024-35286 so inconvenient when it was discovered earlier this year. This SQL injection vulnerability, resulting from a lack of user input sanitization, earned a “critical” 9.8 score in the Common Vulnerability Scoring System (CVSS) for how it allowed attackers to access important business data, and execute database and management operations at will. It came with a catch, though: A specific configuration was required to reach the vulnerable endpoint, where the treasure lay.

In a new blog post, researchers from watchTowr noted that “No sensible admin would do this” — referring to the undisclosed configuration — so the risk to reliable organizations was low. However, the researchers went on to discover a path traversal vulnerability in MiCollab — not to mention a third, arbitrary file-read vulnerability — which rendered that one lone defense moot.

The New MiCollab Exploit Chain

At Black Hat six years ago, a researcher going by the moniker Orange Tsai presented research exposing issues with how Web applications handle path normalization. Using special characters in URLs, attackers could trick Web servers into giving them access to files and directories they shouldn’t be able to access.

Researchers from watchTowr put this logic to the test while toying with CVE-2024-35286. Working with an Apache configuration for MiCollab published to the Web back in 2009, they discovered that they could use the input “..;/” to bypass all roadblocks on the way to the vulnerable endpoint — “/npm-admin” from the NuPoint Unified Messaging (UM) component of the platform — with no authentication required. This stacked vulnerability was acknowledged as CVE-2024-41713, and given a “high” CVSS score of 7.5.

CVE-2024-41713 gave new life to the older CVE-2024-35286, and then the researchers discovered yet another zero-day allowing for arbitrary file read, which hasn’t been assigned a CVE label or CVSS score. The three work best in combination: CVE-2024-41713 lubricating initial access, the arbitrary file-read issue providing visibility into files across the system, and CVE-2024-35286 enabling any number of malicious operations thereon. For its part, watchTowr published a proof-of-concept (PoC) exploit to GitHub that combines the first two.

“Based on public sources, there are over 10,000 publicly exposed Mitel MiCollab devices,” notes Mayuresh Dani, manager of security research at the Qualys Threat Research Unit. “Provided that NuPoint Unified Messaging (NPM) is enabled, a remote threat actor can use CVE-2024-41713 and the [file-read] zero-day to access arbitrary files on affected devices.”

Which is exactly what the proof-of-concept code does, he adds. “It does so by accessing the npm-pwg directory and invoking the Reconcile Wizard, which is normally used to generate system reports. If the attacker gets ahold of sensitive files containing authentication information on the device, this could be used to gain access to the device and possibly snoop on conversations flowing through the vulnerable instance.”

Hacking Enterprise Communications

An email arrives in an employee’s inbox from their boss. “Hi, please wire a payment to our contractor at [bank account number] immediately.” The number one thing employees are told, to screen scams like this, is to call their boss to confirm the legitimacy of the email. But what if their phone system itself is breached?

“The vulnerabilities in Mitel MiCollab highlight a growing trend of attackers targeting communication platforms to gain access to sensitive systems,” says Callie Guenther, senior manager of cyber threat research at Critical Start. Besides intercepting or blocking an organization’s central lines of communication, snooping on employees, or simply causing a general havoc, attackers can also use a platform like MiCollab to facilitate any number of other kinds of cyberattacks. “Similar issues have been exploited in the past, such as the 2022 Mitel MiVoice Connect vulnerability (CVE-2022-29499), which ransomware groups used to deploy Web shells and move laterally through networks,” she notes.

Both named CVEs have been patched as of Oct. 9. Mitel acknowledged the arbitrary file-read bug, but hasn’t yet patched it at the time of publication. Organizations with MiCollab up to date are covered most of the way, though, as this last issue requires authentication to exploit.

Nate Nelson

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
5:02 am, Juli 11, 2025
Wetter-Symbol 17°C
L: 16° | H: 18°
aufgelockerte Bewölkung
Luftfeuchtigkeit: 82 %
Druck: 1021 mb
Wind: 3 mph E
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 39%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 4:56 am
Sonnenuntergang: 9:15 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
16° | 18°°C 0 mm 0% 8 mph 78 % 1021 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
19° | 30°°C 0 mm 0% 10 mph 66 % 1019 mb 0 mm/h
So. Juli 13 10:00 pm
Wetter-Symbol
18° | 30°°C 0 mm 0% 7 mph 71 % 1015 mb 0 mm/h
Mo. Juli 14 10:00 pm
Wetter-Symbol
18° | 28°°C 1 mm 100% 15 mph 84 % 1016 mb 0 mm/h
Di. Juli 15 10:00 pm
Wetter-Symbol
14° | 20°°C 1 mm 100% 14 mph 81 % 1017 mb 0 mm/h
Today 7:00 am
Wetter-Symbol
18° | 19°°C 0 mm 0% 2 mph 78 % 1021 mb 0 mm/h
Today 10:00 am
Wetter-Symbol
24° | 27°°C 0 mm 0% 2 mph 58 % 1021 mb 0 mm/h
Today 1:00 pm
Wetter-Symbol
30° | 30°°C 0 mm 0% 3 mph 32 % 1020 mb 0 mm/h
Today 4:00 pm
Wetter-Symbol
32° | 32°°C 0 mm 0% 4 mph 26 % 1018 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
30° | 30°°C 0 mm 0% 6 mph 29 % 1017 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
23° | 23°°C 0 mm 0% 8 mph 49 % 1019 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
21° | 21°°C 0 mm 0% 5 mph 57 % 1019 mb 0 mm/h
Tomorrow 4:00 am
Wetter-Symbol
19° | 19°°C 0 mm 0% 5 mph 66 % 1018 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€99,736.71
5.06%
Ethereum(ETH)
€2,537.04
6.96%
Fesseln(USDT)
€0.85
-0.01%
XRP(XRP)
€2.20
6.20%
Solana(SOL)
€140.92
4.79%
USDC(USDC)
€0.85
-0.01%
Dogecoin(DOGE)
€0.169182
9.87%
Shiba Inu(SHIB)
€0.000012
8.38%
Pepe(PEPE)
€0.000011
15.69%
Peanut das Eichhörnchen(PNUT)
€0.250729
23.47%
Nach oben scrollen