cbcvebase.
CVE-2024-35286
published 2024-10-21

CVE-2024-35286: A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
65.56%
99.2th percentile
A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary database and management operations.

Affected

1 ranges
VendorProductVersion rangeFixed in
mitelmicollab<= 9.8.0.33

Detection & IOCsextracted from sources · hover to see the quote

url/npm-pwg/..;/usp/searchUsers.do
url/npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall?isc_rpc=1&isc_v=&isc_tnum=2
url/npm-pwg/..;/axis2-AWC/services/listServices
cookieJSESSIONID=
path/etc/passwd
command../../../etc/passwd
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mitel MiCollab Unauthenticated Path Traversal (CVE-2024-41713)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/npm-pwg/|2e 2e 3b|/ReconcileWizard/reconcilewizard/sc/IDACall|3f|"; fast_pattern; http.request_body; content:"|5f|transaction|3d|"; content:"reportName"; distance:0; pcre:"/^(?:\x3e|%3[eE])[\x3c]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/; reference:cve,2024-41713; reference:cve,2024-55550; classtype:web-application-attack; sid:2058078; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_12_05, cve CVE_2024_41713_CVE_2024_55550, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_12_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
yara
regex: root:.*:0:0:
yara
regex: micollab_api:.*:.*
  • Detect exploitation attempts by monitoring HTTP POST requests to the ReconcileWizard servlet path with path traversal sequences in the 'reportName' parameter of the XML body.
  • Monitor HTTP responses for the strings 'com.mitel.npm.web.console' or 'java.lang.NullPointerException' with a 500 status code, which indicate active probing of the NPM component.
  • Flag HTTP GET requests using the path traversal bypass pattern '..;/' against the /npm-pwg/ endpoint, which is used to bypass authentication controls.
  • Monitor logs for suspicious activity targeting the ReconcileWizard servlet or path traversal patterns.
  • Monitor for unexpected access to sensitive files or configuration data, particularly /etc/passwd, as a sign of successful path traversal exploitation.
  • Use Shodan/FOFA queries to identify exposed MiCollab instances that may be targeted: Shodan 'http.html:"Mitel Networks"', FOFA 'body="mitel networks"'.
  • Attacker activity (reconnaissance/exploitation) was observed within hours of PoC release on December 5, 2024; treat any traffic to /npm-pwg/ endpoints from external IPs as high priority.
  • ·The Snort/ET rule (sid:2058078) covers the chained CVE-2024-41713 + CVE-2024-55550 path traversal attack vector; it does NOT directly detect the original CVE-2024-35286 SQL injection, which targets the NPM component separately.
  • ·The Nuclei template for CVE-2024-55550 (arbitrary file read) requires a two-step flow: first confirming auth bypass via /npm-pwg/..;/usp/searchUsers.do, then triggering the file read via ReconcileWizard. Both steps must succeed for a positive match.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.