cbcvebase.
CVE-2024-41713
published 2024-10-21

CVE-2024-41713: A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to…

PriorityP197critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-01-28
Exploited in the wild
EPSS
98.07%
99.9th percentile
A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.

Affected

1 ranges
VendorProductVersion rangeFixed in
mitelmicollab<= 9.8.1.201

Detection & IOCsextracted from sources · hover to see the quote

urlGET /npm-pwg/..;/axis2-AWC/services/listServices HTTP/1.1
urlGET /npm-pwg/..;/usp/searchUsers.do HTTP/1.1
path/npm-pwg/..;/axis2-AWC/services/listServices
path/npm-pwg/..;/usp/searchUsers.do
path/npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall
command../../../etc/passwd injected into reportName parameter
  • Detect path traversal attempts using the '..;/' bypass sequence targeting the /npm-pwg/ endpoint, specifically probing /axis2-AWC/services/listServices — a successful response contains 'Available services' and 'Service Description' with HTTP 200.
  • Monitor for POST requests to /npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall with Content-Type: application/x-www-form-urlencoded containing path traversal strings (e.g., ../../../etc/passwd) in the reportName parameter.
  • Monitor logs for suspicious activity targeting the ReconcileWizard servlet or path traversal patterns, and monitor for unexpected access to sensitive files or configuration data.
  • Response body matching regex 'root:.*:0:0:' or 'micollab_api:.*:.*' in replies to ReconcileWizard requests indicates successful exploitation and file read of /etc/passwd.
  • The vulnerability is exploitable without authentication; any unauthenticated request using the '..;/' path traversal sequence against /npm-pwg/ should be treated as a high-priority alert.
  • GreyNoise observed attacker reconnaissance/exploitation activity within hours of the PoC release on December 5, 2024; use GreyNoise tag for CVE-2024-41713 to identify and block scanning IPs.
  • ·The path traversal bypass uses the '..;/' sequence (semicolon-based bypass), not a standard '../' sequence, which may evade WAF rules that only check for classic path traversal patterns.
  • ·CVE-2024-41713 affects Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201); the fix was released in MiCollab version 9.6 (October 2024) per GreyNoise, but the NVD advisory references 9.8 SP1 FP2 as the last vulnerable version — verify the exact patched version against MISA-2024-0029.
  • ·The Nuclei template for CVE-2024-41713 chains the auth bypass with a subsequent request to /usp/searchUsers.do to confirm unauthenticated access before attempting further exploitation; detection logic should account for this two-step chained request pattern.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.