Date of Disclosure: December 5, 2024 (PoC exploit was published)
Date Reported as Actively Exploited (source): January 7, 2025
**Update** (January 8, 2025): CVE-2024-41713 and CVE-2024-55550 were added to CISA’s list of known exploited vulnerabilities on January 7, 2025.
CVE-2024-35286, CVE-2024-41713, and CVE-2024-55550 are three vulnerabilities in the VoIP platform Mitel MiCollab, reported on by watchTowr Labs. CVE-2024-35286 is a known critical pre-authenticated SQL injection vulnerability, CVE-2024-41713 is an authentication bypass flaw, and CVE-2024-55550 is an arbitrary file read vulnerability.
CVE-2024-55550 was a zero-day vulnerability discovered when watchTowr published their blog, but has since been assigned a CVE ID and addressed by the vendor. In an advisory from Mitel, they urged customers to update their software to MiCollab 9.8 SP2 (9.8.2.12). This patch additionally mitigates CVE-2024-55550, which they’ve described as a low severity local file read exposure vulnerability to be addressed in future product updates.
| Field | Details | |||||
|---|---|---|---|---|---|---|
| CVE-ID | CVE-2024-35286 – CVSS 9.8 (critical) – assigned by CISA-ADP | CVE-2024-41713 – CVSS 9.1 (critical) – assigned by CISA-ADP | CVE-2024-55550 – CVSS 4.4 (medium) – assigned by CISA-ADP | |||
| Vulnerability Description | Unauthenticated SQL injection due to insufficient sanitization of user input. | Unauthenticated path traversal attack, due to insufficient input validation, allowing unauthorized access, enabling the attacker to view, corrupt, or delete users’ data and system configurations. | Authenticated attackers with administrative privilege can conduct a local file read, due to insufficient input sanitization. | |||
| Date of Disclosure | October 21, 2024 | October 21, 2024 | December 5, 2024 | |||
| Affected Assets | NPM component of Mitel MiCollab. Requires a specific configuration exposing the /npm-admin endpoint | NPM component of Mitel MiCollab. PoC exploit from watchTowr targets the /npm-pwg/..;/usp/ endpoint | Mitel Micollab | |||
| Vulnerable Software Versions | Mitel MiCollab through 9.8.0.33 | Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) | Mitel MiCollab through 9.8 SP2 | |||
| PoC Available? | Watchtowr published a PoC Exploit for CVE-2024-41713 and CVE-2024-55550, but no PoC was available for CVE-2024-35286 at the time of writing. | |||||
| Exploitation Status | These vulnerabilities do not appear on CISA KEV at the time of writing, but malicious hosts were observed using CVE-2024-35286 and CVE-2024-41713 in GreyNoise. | |||||
| Patch Status | Mitel released a security advisory for CVE-2024-35286, urging customers to update to the latest version of MiCollab. Mitel released a security advisory for CVE-2024-41713 and CVE-2024-55550; MiCollab 9.8 SP2 (9.8.2.12) patches CVE-2024-41713 and substantially mitigates CVE-2024-55550. Mitel describes CVE-2024-55550 as a low severity vulnerability that will be addressed in future product updates. | |||||
Censys Perspective
At the time of writing, Censys observed 8,899 exposed Mitel MiCollab instances. WatchTowr’s blog post and a few other media outlets reported approximately 16,000 active instances. This discrepancy may stem from differences in our detection methods, including the potential for false positives. Despite additional searches, we were unable to account for the variance in reported numbers.
The following query in Censys Search yields additional results that may suggest the presence of MiCollab software, but may have a higher prevalence of false positives:
"O=Mitel Networks, OU=VoIP Platforms"
While the majority of these results overlap with our MiCollab fingerprint, many do not. The non-overlapping results are often associated with Mitel Communications Director or MiVoice Business, which are frequently integrated with MiCollab but do not necessarily confirm its presence on the same host.
The most reliable indicator of MiCollab we’ve observed so far is the following string, referenced in watchTowr’s PoC exploit:
if "MiCollab End User Portal" not in pre_check.text:
print(f"[*] Server is not Mitel MiCollab, exiting...")
exit()
A large proportion of these (54%) are geolocated in the United States. Note that not all instances observed are vulnerable as we do not have specific versions available.
Map of Exposed Mitel MiCollab instances:
services.software: (vendor="Mitel" and product="MiCollab")
host.services.software: (vendor="Mitel" and product="MiCollab")
Note that these fingerprints were recently deployed and results may take 24 hours to fully propagate.