Mitel this week knowledgeable prospects in regards to the availability of patches for a crucial MiCollab vulnerability that may be exploited remotely and with out authentication.
The flaw, which at present doesn’t seem to have a CVE identifier, has been described as a path traversal concern affecting MiCollab’s NuPoint Unified Messaging (NPM) part.
MiCollab 9.8 SP2 (9.8.2.12) and earlier are impacted, and a patch is included in variations 9.8 SP3 (9.8.3.1) and later. MiCollab 10.0.0.26 and later variations aren’t affected.
Mitel MiCollab is a communications and collaboration platform that gives customers with instruments for voice, video, chat, net conferencing, and workforce collaboration.
The vulnerability, in keeping with Mitel, can enable an attacker to “acquire unauthenticated entry to provisioning info together with non-sensitive person and community info and carry out unauthorized administrative actions on the MiCollab Server”.
Dahmani Toumi, the researcher credited for locating the vulnerability, informed SecurityWeek that the flaw will be exploited remotely over the web towards MiCollab situations which can be uncovered to the online.
Toumi stated he recognized greater than 20,000 internet-exposed situations utilizing the Shodan search engine. It’s unclear precisely what number of of them could also be weak to assaults.
In line with the researcher, exploitation of the vulnerability in a real-world setting may result in information publicity, service disruptions, or additional compromise of the focused group’s techniques. Commercial. Scroll to proceed studying.
The researcher clarified that Mitel launched a patch for the vulnerability in February 2025. He additionally identified that this vulnerability is definitely a bypass of the patch for CVE-2024-41713, an analogous safety gap disclosed within the fall of 2024.
The cybersecurity company CISA warned in early 2025 that CVE-2024-41713 had been exploited within the wild, together with one other MiCollab vulnerability tracked as CVE-2024-55550.
It’s not unusual for risk actors to focus on Mitel merchandise of their assaults. For example, the Aquabot DDoS botnet was not too long ago noticed exploiting a vulnerability in Mitel SIP telephones.
Associated: PoC Exploit Revealed for Unpatched Mitel MiCollab Vulnerability
Associated: CISA Warns of Two Mitel Vulnerabilities Exploited in Wild
Associated: Many Malware Campaigns Linked to Proton66 Community
