CVE-2024-41710
published 2024-08-12CVE-2024-41710: A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6.4.0.HF1 (R6.4.0.136) could…
PriorityP182high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-03-05
Exploited in the wild
EPSS
41.61%
98.5th percentile
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6.4.0.HF1 (R6.4.0.136) could allow an authenticated attacker with administrative privilege to conduct an argument injection attack, due to insufficient parameter sanitization during the boot process. A successful exploit could allow an attacker to execute arbitrary commands within the context of the system.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mitel | 6863i_sip_firmware | <= 6.4.0.136 | — |
| mitel | 6865i_sip_firmware | <= 6.4.0.136 | — |
| mitel | 6867i_sip_firmware | <= 6.4.0.136 | — |
| mitel | 6869i_sip_firmware | <= 6.4.0.136 | — |
| mitel | 6873i_sip_firmware | <= 6.4.0.136 | — |
| mitel | 6905_sip_firmware | <= 6.4.0.136 | — |
| mitel | 6910_sip_firmware | <= 6.4.0.136 | — |
| mitel | 6915_sip_firmware | <= 6.4.0.136 | — |
| mitel | 6920_sip_firmware | <= 6.4.0.136 | — |
| mitel | 6920w_sip_firmware | <= 6.4.0.136 | — |
| mitel | 6930_sip_firmware | <= 6.4.0.136 | — |
| mitel | 6930w_sip_firmware | <= 6.4.0.136 | — |
| mitel | 6940_sip_firmware | <= 6.4.0.136 | — |
| mitel | 6940w_sip_firmware | <= 6.4.0.136 | — |
| mitel | 6970_firmware | <= 6.4.0.136 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/8021xsupport.html
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mitel 6800 802.1x Support Command Injection (CVE-2024-41710)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/8021xsupport.html"; fast_pattern; http.request_body; content:"802|2e|1x|2b|identity|3d|"; pcre:"/^[^\x26]*?\x25(?:\x21d\x28|dt)/R"; reference:url,www.akamai.com/blog/security-research/2025-january-new-aquabot-mirai-variant-exploiting-mitel-phones; reference:cve,2024-41710; classtype:web-application-attack; sid:2059785; rev:1; metadata:affected_product Mitel, attack_target Server, tls_state TLSDecrypt, created_at 2025_01_30, cve CVE_2024_41710, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
802|2e|1x|2b|identity|3d|
- →Exploit traffic is an HTTP POST request to /8021xsupport.html; inspect the request body for the pattern '802.1x+identity=' (encoded as 802|2e|1x|2b|identity|3d|) followed by a PCRE-matched argument injection payload using percent-encoded sequences (%!d( or %dt).
- →The vulnerability is exploited during the boot process via insufficient parameter sanitization; monitor for unexpected command execution originating from SIP phone management interfaces (Mitel 6800/6900/6900w Series and 6970 Conference Unit). ↗
- →This CVE is being actively exploited in the wild by the Aquabot Mirai variant; correlate detections with known Mirai botnet C2 infrastructure and watch for post-exploitation bot enrollment behavior.
- ·The Snort/Suricata rule (sid:2059785) includes a 'tls_state TLSDecrypt' metadata tag and a 'deployment SSLDecrypt' tag, meaning it will only fire on TLS-decrypted traffic. Ensure your sensor is configured for TLS inspection to detect encrypted exploitation attempts.
- ·The vulnerability requires the attacker to be authenticated with administrative privilege; detections should be correlated with prior authentication events to confirm exploitation rather than treating the POST alone as definitive compromise. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Mitel SIP Phones Argument Injection Vulnerability
cisa·2025-02-12·CVSS 7.2
CVE-2024-41710 [HIGH] CWE-88 Mitel SIP Phones Argument Injection Vulnerability
Vulnerability: Mitel SIP Phones Argument Injection Vulnerability
Affected: Mitel SIP Phones
Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, contain an argument injection vulnerability due to insufficient parameter sanitization during the boot process. Successful exploitation may allow an attacker to execute arbitrary commands within the context of the system.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.mitel.com/-/media/mitel/file/pdf/support/security-advisories/security-bulletin_24-0019-001-v2.pdf ; https://nvd.nist.gov/vuln/detail/CVE-2024-41710
Remediation Due Date: 2025-03-05
GHSA
GHSA-w287-4mr4-4v3v: A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6
ghsa_unreviewed·2024-08-12
CVE-2024-41710 [MEDIUM] CWE-88 GHSA-w287-4mr4-4v3v: A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6.4.0.HF1 (R6.4.0.136) could allow an authenticated attacker with administrative privilege to conduct an argument injection attack, due to insufficient parameter sanitization during the boot process. A successful exploit could allow an attacker to execute arbitrary commands within the context of the system.
VulnCheck
Mitel SIP Phones Argument Injection Vulnerability
vulncheck·2024·CVSS 7.2
CVE-2024-41710 [HIGH] CWE-88 Mitel SIP Phones Argument Injection Vulnerability
Mitel SIP Phones Argument Injection Vulnerability
Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, contain an argument injection vulnerability due to insufficient parameter sanitization during the boot process. Successful exploitation may allow an attacker to execute arbitrary commands within the context of the system.
Affected: Mitel SIP Phones
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.akamai.com/blog/security-research/2025-january-new-aquabot-mirai-variant-exploiting-mitel-phones; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.loginsoft.com/reports/annually/vulnerabilit
Suricata
ET WEB_SPECIFIC_APPS Mitel 6800 802.1x Support Command Injection (CVE-2024-41710)
suricata·2025-01-30·CVSS 7.2
CVE-2024-41710 [HIGH] ET WEB_SPECIFIC_APPS Mitel 6800 802.1x Support Command Injection (CVE-2024-41710)
ET WEB_SPECIFIC_APPS Mitel 6800 802.1x Support Command Injection (CVE-2024-41710)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mitel 6800 802.1x Support Command Injection (CVE-2024-41710)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/8021xsupport.html"; fast_pattern; http.request_body; content:"802|2e|1x|2b|identity|3d|"; pcre:"/^[^\x26]*?\x25(?:\x21d\x28|dt)/R"; reference:url,www.akamai.com/blog/security-research/2025-january-new-aquabot-mirai-variant-exploiting-mitel-phones; reference:cve,2024-41710; classtype:web-application-attack; sid:2059785; rev:1; metadata:affected_product Mitel, attack_target Server, tls_state TLSDecrypt, created_at 2025_01_30, cve CVE_2024_41710, deployment Perimeter, deployment Internal, deploym
No public exploits indexed.
2024-08-12
Published
2025-02-12
Added to CISA KEV
Exploited in the wild