CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2024-41713

CVSS 9.1v3.1pub. 2024-10-21upd. 2025-11-04

A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Mitel Micollab

    APP
    Mitel
    ≤ 9.8.1.201

CISA KEV — detailsi

Vendori
Mitel
Producti
MiCollab
Added to KEVi
January 7, 2025
Remediation deadline (US Federal)i
January 28, 2025(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Mitel MiCollab contains a path traversal vulnerability that could allow an attacker to gain unauthorized and unauthenticated access. This vulnerability can be chained with CVE-2024-55550, which allows an unauthenticated, remote attacker to read arbitrary files on the server.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 28 stycznia 2025
Tags
Path TraversalAuth Bypass
CWE
References

Related vulnerabilities

CVE-2022-26143CRITICAL9.8⚠ KEVten sam produkt

The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through ...

CVE-2024-35286CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Mitel MiCollab NuPoint Messenger — dostęp bez uwierzytelnienia

CVE-2024-35285CRITICAL9.8PL ✓ten sam produkt

Command injection w Mitel MiCollab NuPoint Messenger — dostęp bez uwierzytelnienia

CVE-2024-35314CRITICAL9.8PL ✓ten sam produkt

Command Injection w Mitel MiCollab i MiVoice Business Solution Virtual Instance

CVE-2024-47223CRITICAL9.4PL ✓ten sam produkt

SQL Injection w komponencie AWV Mitel MiCollab — dostęp bez uwierzytelnienia