Mitel MiCollab Collaboration Platform Faces Unresolved Zero-Day Vulnerability

December 5, 2024

Researchers from watchTowr have found an arbitrary file read zero-day vulnerability in the Mitel MiCollab collaboration platform. This vulnerability enables attackers to access files on a server's filesystem. Mitel MiCollab is a unified communication tool used by a range of organizations, from large corporations to small and medium-sized enterprises, and those with remote or hybrid workforces.

Despite watchTowr alerting Mitel to the vulnerability on August 26, it remains unresolved after 90 days without a patch. In a report published by watchTowr, they stated, "watchTowr contacted Mitel on August 26 about the new vulnerability. Mitel informed watchTowr of plans to patch the first week of December 2024. At the time of publishing, there has been no update on the Mitel Security Advisory page."

The zero-day vulnerability was discovered during an investigation into previously reported vulnerabilities in MiCollab, namely CVE-2024-35286, an SQL injection flaw, and CVE-2024-41713, an authentication bypass issue. These vulnerabilities were respectively patched by Mitel on May 23 and October 9.

The new vulnerability was found when the researchers were examining the 'ReconcileWizard' servlet. They injected a path traversal string (../../../) into the 'reportName' parameter of an XML-based API request. This enabled them to access sensitive files such as '/etc/passwd,' which contains critical information about system accounts. A proof-of-concept exploit for the flaw was also published by watchTowr.

Although the zero-day vulnerability is technically less severe than the other two, it still poses a significant threat as it allows unauthorized users to access sensitive system files. It's worth noting that MiCollab has been targeted by threat actors in the recent past. As the vulnerability is still not fixed, organizations using MiCollab are at risk and should take immediate steps to mitigate it. Users are advised to update to the latest version of Mitel MiCollab. Even though it doesn't address the zero-day flaw, it provides protection against other critical flaws recently discovered.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.