cbcvebase.
CVE-2024-41710
published 2024-08-12

CVE-2024-41710: A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6.4.0.HF1 (R6.4.0.136) could…

PriorityP182high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-03-05
Exploited in the wild
EPSS
41.61%
98.5th percentile
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6.4.0.HF1 (R6.4.0.136) could allow an authenticated attacker with administrative privilege to conduct an argument injection attack, due to insufficient parameter sanitization during the boot process. A successful exploit could allow an attacker to execute arbitrary commands within the context of the system.

Affected

15 ranges
VendorProductVersion rangeFixed in
mitel6863i_sip_firmware<= 6.4.0.136
mitel6865i_sip_firmware<= 6.4.0.136
mitel6867i_sip_firmware<= 6.4.0.136
mitel6869i_sip_firmware<= 6.4.0.136
mitel6873i_sip_firmware<= 6.4.0.136
mitel6905_sip_firmware<= 6.4.0.136
mitel6910_sip_firmware<= 6.4.0.136
mitel6915_sip_firmware<= 6.4.0.136
mitel6920_sip_firmware<= 6.4.0.136
mitel6920w_sip_firmware<= 6.4.0.136
mitel6930_sip_firmware<= 6.4.0.136
mitel6930w_sip_firmware<= 6.4.0.136
mitel6940_sip_firmware<= 6.4.0.136
mitel6940w_sip_firmware<= 6.4.0.136
mitel6970_firmware<= 6.4.0.136

Detection & IOCsextracted from sources · hover to see the quote

url/8021xsupport.html
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mitel 6800 802.1x Support Command Injection (CVE-2024-41710)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/8021xsupport.html"; fast_pattern; http.request_body; content:"802|2e|1x|2b|identity|3d|"; pcre:"/^[^\x26]*?\x25(?:\x21d\x28|dt)/R"; reference:url,www.akamai.com/blog/security-research/2025-january-new-aquabot-mirai-variant-exploiting-mitel-phones; reference:cve,2024-41710; classtype:web-application-attack; sid:2059785; rev:1; metadata:affected_product Mitel, attack_target Server, tls_state TLSDecrypt, created_at 2025_01_30, cve CVE_2024_41710, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
802|2e|1x|2b|identity|3d|
  • Exploit traffic is an HTTP POST request to /8021xsupport.html; inspect the request body for the pattern '802.1x+identity=' (encoded as 802|2e|1x|2b|identity|3d|) followed by a PCRE-matched argument injection payload using percent-encoded sequences (%!d( or %dt).
  • The vulnerability is exploited during the boot process via insufficient parameter sanitization; monitor for unexpected command execution originating from SIP phone management interfaces (Mitel 6800/6900/6900w Series and 6970 Conference Unit).
  • This CVE is being actively exploited in the wild by the Aquabot Mirai variant; correlate detections with known Mirai botnet C2 infrastructure and watch for post-exploitation bot enrollment behavior.
  • ·The Snort/Suricata rule (sid:2059785) includes a 'tls_state TLSDecrypt' metadata tag and a 'deployment SSLDecrypt' tag, meaning it will only fire on TLS-decrypted traffic. Ensure your sensor is configured for TLS inspection to detect encrypted exploitation attempts.
  • ·The vulnerability requires the attacker to be authenticated with administrative privilege; detections should be correlated with prior authentication events to confirm exploitation rather than treating the POST alone as definitive compromise.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.