Exploitation of critical path traversal vulnerability (CVE-2024-41713) and 0-day path traversal vulnerability (CVE-2024-55550) in Mitel MiCollab

After proof-of-concept technical details were published on 5 December 2024 for CVE-2024-41713 and CVE-2024-55550, exploitation activity chaining these two Mitel MiCollab vulnerabilities has been reported. 

MiCollab is a cloud-based platform that integrates chat, voice, video, and SMS messaging for teams.

• CVE-2024-41713 is a vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab and has a CVSSv3 score of 9.8. Successful exploitation could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation, leading to access to provisioning information including non-sensitive user and network information and perform unauthorised administrative actions on the MiCollab Server. This vulnerability was reported in Cyber Alert CC-4561, but it was not reported as exploited at the time of publication.

• CVE-2024-55550 is a path traversal vulnerability in MiCollab could allow an authenticated attacker with administrative privilege to conduct a local file read within the system due to insufficient input sanitization. A successful exploit could allow the authenticated admin attacker to access resources that are constrained to the admin access level, and the disclosure is limited to non-sensitive system information. This vulnerability does not allow file modification or privilege escalation. The exposure is substantially mitigated by applying the available remediation for CVE-2024-41713 and the vulnerability severity is rated as low.