CVE-2024-41713
published 2024-10-21CVE-2024-41713: A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to…
PriorityP197critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-01-28
Exploited in the wild
EPSS
98.07%
99.9th percentile
A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mitel | micollab | <= 9.8.1.201 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path traversal attempts using the '..;/' bypass sequence targeting the /npm-pwg/ endpoint, specifically probing /axis2-AWC/services/listServices — a successful response contains 'Available services' and 'Service Description' with HTTP 200. ↗
- →Monitor for POST requests to /npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall with Content-Type: application/x-www-form-urlencoded containing path traversal strings (e.g., ../../../etc/passwd) in the reportName parameter. ↗
- →Monitor logs for suspicious activity targeting the ReconcileWizard servlet or path traversal patterns, and monitor for unexpected access to sensitive files or configuration data. ↗
- →Response body matching regex 'root:.*:0:0:' or 'micollab_api:.*:.*' in replies to ReconcileWizard requests indicates successful exploitation and file read of /etc/passwd. ↗
- →The vulnerability is exploitable without authentication; any unauthenticated request using the '..;/' path traversal sequence against /npm-pwg/ should be treated as a high-priority alert. ↗
- →GreyNoise observed attacker reconnaissance/exploitation activity within hours of the PoC release on December 5, 2024; use GreyNoise tag for CVE-2024-41713 to identify and block scanning IPs. ↗
- ·The path traversal bypass uses the '..;/' sequence (semicolon-based bypass), not a standard '../' sequence, which may evade WAF rules that only check for classic path traversal patterns. ↗
- ·CVE-2024-41713 affects Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201); the fix was released in MiCollab version 9.6 (October 2024) per GreyNoise, but the NVD advisory references 9.8 SP1 FP2 as the last vulnerable version — verify the exact patched version against MISA-2024-0029. ↗
- ·The Nuclei template for CVE-2024-41713 chains the auth bypass with a subsequent request to /usp/searchUsers.do to confirm unauthenticated access before attempting further exploitation; detection logic should account for this two-step chained request pattern. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Mitel MiCollab Path Traversal Vulnerability
cisa·2025-01-07·CVSS 9.1
CVE-2024-55550 [CRITICAL] CWE-22 Mitel MiCollab Path Traversal Vulnerability
Vulnerability: Mitel MiCollab Path Traversal Vulnerability
Affected: Mitel MiCollab
Mitel MiCollab contains a path traversal vulnerability that could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input sanitization. This vulnerability can be chained with CVE-2024-41713, which allows an unauthenticated, remote attacker to read arbitrary files on the server.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029 ; https://nvd.nist.gov/vuln/detail/CVE-2024-55550
Remediation Due Date: 2025-01-28
CISA
Mitel MiCollab Path Traversal Vulnerability
cisa·2025-01-07·CVSS 9.1
CVE-2024-41713 [CRITICAL] CWE-22 Mitel MiCollab Path Traversal Vulnerability
Vulnerability: Mitel MiCollab Path Traversal Vulnerability
Affected: Mitel MiCollab
Mitel MiCollab contains a path traversal vulnerability that could allow an attacker to gain unauthorized and unauthenticated access. This vulnerability can be chained with CVE-2024-55550, which allows an unauthenticated, remote attacker to read arbitrary files on the server.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029 ; https://nvd.nist.gov/vuln/detail/CVE-2024-41713
Remediation Due Date: 2025-01-28
GHSA
GHSA-8v9w-9wj4-52p3: A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9
ghsa_unreviewed·2024-10-21
CVE-2024-41713 [HIGH] CWE-22 GHSA-8v9w-9wj4-52p3: A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9
A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.
VulnCheck
Mitel MiCollab Path Traversal Vulnerability
vulncheck·2024·CVSS 9.1
CVE-2024-41713 [CRITICAL] CWE-22 Mitel MiCollab Path Traversal Vulnerability
Mitel MiCollab Path Traversal Vulnerability
Mitel MiCollab contains a path traversal vulnerability that could allow an attacker to gain unauthorized and unauthenticated access. This vulnerability can be chained with CVE-2024-55550, which allows an unauthenticated, remote attacker to read arbitrary files on the server.
Affected: Mitel MiCollab
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.greynoise.io/blog/from-poc-to-attacker-interest-in-hours-real-time-insights-into-mitel-micollab-vulnerabilities; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-12-11&host_type=src&vulnerability=cve-2024-41713; https
VulnCheck
Mitel MiCollab Path Traversal Vulnerability
vulncheck·2024·CVSS 9.1
CVE-2024-55550 [CRITICAL] CWE-22 Mitel MiCollab Path Traversal Vulnerability
Mitel MiCollab Path Traversal Vulnerability
Mitel MiCollab contains a path traversal vulnerability that could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input sanitization. This vulnerability can be chained with CVE-2024-41713, which allows an unauthenticated, remote attacker to read arbitrary files on the server.
Affected: Mitel MiCollab
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://digital.nhs.uk/cyber-alerts/2024/cc-4588; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.coveware.com/blog/2025/4/29/the-organizati
Suricata
ET WEB_SPECIFIC_APPS Mitel MiCollab Unauthenticated Path Traversal (CVE-2024-41713)
suricata·2024-12-05·CVSS 9.1
CVE-2024-41713 [CRITICAL] ET WEB_SPECIFIC_APPS Mitel MiCollab Unauthenticated Path Traversal (CVE-2024-41713)
ET WEB_SPECIFIC_APPS Mitel MiCollab Unauthenticated Path Traversal (CVE-2024-41713)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mitel MiCollab Unauthenticated Path Traversal (CVE-2024-41713)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/npm-pwg/|2e 2e 3b|/ReconcileWizard/reconcilewizard/sc/IDACall|3f|"; fast_pattern; http.request_body; content:"|5f|transaction|3d|"; content:"reportName"; distance:0; pcre:"/^(?:\x3e|%3[eE])[\x3c]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/; reference:cve,2024-41713; reference:cve,2024-55550; classtype:web-application-attack; sid:2058078; rev:1; meta
Suricata
ET WEB_SPECIFIC_APPS Mitel MiCollab Pre-Authentication SQLi (CVE-2024-35286)
suricata·2024-12-05·CVSS 9.8
CVE-2024-35286 [CRITICAL] ET WEB_SPECIFIC_APPS Mitel MiCollab Pre-Authentication SQLi (CVE-2024-35286)
ET WEB_SPECIFIC_APPS Mitel MiCollab Pre-Authentication SQLi (CVE-2024-35286)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mitel MiCollab Pre-Authentication SQLi (CVE-2024-35286)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/npm-pwg/"; fast_pattern; content:"|2e 2e 3b 2f|"; distance:0; content:"npm-admin/"; distance:0; http.request_body; content:"username|3d|"; pcre:"/^[^\x3d\r\n]*?[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:url,labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/; reference:cve,2024-35286; classtype:web-application-attack; sid:2058075; rev:1; metadata:affected_product Mitel, attack_target Server, tls_state TLSDecrypt, created_at 2024_12_05, cve CVE_2024_3
Nuclei
Mitel MiCollab - Arbitary File Read
nuclei·CVSS 9.1
CVE-2024-55550 [CRITICAL] Mitel MiCollab - Arbitary File Read
Mitel MiCollab - Arbitary File Read
The Mitel Collab Arbitrary File Read vulnerability allows an unauthenticated attacker to read arbitrary files from the underlying file system on a Mitel Collab server. Exploiting this flaw involves sending specially crafted requests to the server, bypassing access controls and allowing the attacker to retrieve sensitive files.
Template:
id: CVE-2024-55550
info:
name: Mitel MiCollab - Arbitary File Read
author: DhiyaneshDk,watchTowr
severity: critical
description: |
The Mitel Collab Arbitrary File Read vulnerability allows an unauthenticated attacker to read arbitrary files from the underlying file system on a Mitel Collab server. Exploiting this flaw involves sending specially crafted requests to the server, bypassing access controls and allowing the
Nuclei
Mitel MiCollab - Authentication Bypass
nuclei·CVSS 9.1
CVE-2024-41713 [CRITICAL] Mitel MiCollab - Authentication Bypass
Mitel MiCollab - Authentication Bypass
A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.
Template:
id: CVE-2024-41713
info:
name: Mitel MiCollab - Authentication Bypass
author: DhiyaneshDK,watchTowr
severity: high
description: |
A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exp
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Mitel warns of critical MiVoice MX-ONE authentication bypass flaw
blogs_bleepingcomputer·2025-07-24·CVSS 9.1
[CRITICAL] Mitel warns of critical MiVoice MX-ONE authentication bypass flaw
## Mitel warns of critical MiVoice MX-ONE authentication bypass flaw
## Sergiu Gatlan
Mitel Networks has released security updates to patch a critical-severity authentication bypass vulnerability impacting its MiVoice MX-ONE enterprise communications platform.
MX-ONE is the company's SIP-based communications system, which can scale to support hundreds of thousands of users.
The critical security flaw is due to an improper access control weakness discovered in the MiVoice MX-ONE Provisioning Manager component and has yet to be assigned a CVE ID. Unauthenticated attackers can exploit it in low-complexity attacks that don't require user interaction to gain unauthorized access to administrator accounts on unpatched systems.
According to Mitel, the vulnerability affects MiVoice MX-ONE runn
Bleepingcomputer
CISA warns of critical Oracle, Mitel flaws exploited in attacks
blogs_bleepingcomputer·2025-01-07·CVSS 9.8
CVE-2024-41713 [CRITICAL] CISA warns of critical Oracle, Mitel flaws exploited in attacks
## CISA warns of critical Oracle, Mitel flaws exploited in attacks
## Sergiu Gatlan
CISA has warned U.S. federal agencies to secure their systems against critical vulnerabilities in Oracle WebLogic Server and Mitel MiCollab systems that are actively exploited in attacks.
The cybersecurity agency added a critical path traversal vulnerability ( CVE-2024-41713 ) found in the NuPoint Unified Messaging (NPM) component Mitel's MiCollab unified communications platform to its Known Exploited Vulnerabilities Catalog .
This security bug allows attackers to perform unauthorized administrative actions and access user and network information.
"A successful exploit of this vulnerability could allow an attacker to gain unauthorized access, with potential impacts to the confidentiality, integrity, an
Greynoiseio
From PoC to Attacker Interest in Hours: Real-Time Insights into Mitel MiCollab Vulnerabilities
blogs_greynoiseio·2024-12-10·CVSS 9.8
[CRITICAL] From PoC to Attacker Interest in Hours: Real-Time Insights into Mitel MiCollab Vulnerabilities
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Mitel MiCollab zero-day flaw gets proof-of-concept exploit
blogs_bleepingcomputer·2024-12-05·CVSS 9.8
[CRITICAL] Mitel MiCollab zero-day flaw gets proof-of-concept exploit
## Mitel MiCollab zero-day flaw gets proof-of-concept exploit
## Bill Toulas
Researchers have uncovered an arbitrary file read zero-day in the Mitel MiCollab collaboration platform, allowing attackers to access files on a server's filesystem.
Mitel MiCollab is an enterprise collaboration platform that consolidates various communication tools into a single application, offering voice and video calling, messaging, presence information, audio conferencing, mobility support, and team collaboration functionalities.
It's utilized by various organizations, including large corporations, small to medium-sized enterprises, and companies operating on a remote or hybrid workforce model.
The latest vulnerability in the product was discovered by researchers at watchTowr, who, despite having reporte
Recorded Future
H1 2025 Malware and Vulnerability Trends
blogs_recorded_future
H1 2025 Malware and Vulnerability Trends
## H1 2025 Malware and Vulnerability Trends
## Executive Summary
The first half of 2025 (H1 2025) reflected a rapidly evolving threat landscape defined by the convergence of persistent legacy threats and advanced new tactics.
The total disclosed CVEs increased by 16% from H1 2024, and threat actors exploited 161 vulnerabilities with assigned CVEs, with nearly half linked to malware or ransomware campaigns. Microsoft remained the most targeted vendor, while edge security and gateway devices continued to be high-value targets for initial access. Malware activity was similarly dynamic: while law enforcement takedowns disrupted major players like LummaC2, a resurgence of legacy malware such as Sality indicated that old tools still offer utility for modern actors. Remote access trojans (RATs
Recorded Future
H1 2025 Malware and Vulnerability Trends
blogs_recorded_future
H1 2025 Malware and Vulnerability Trends
# H1 2025 Malware and Vulnerability Trends
## Executive Summary
The first half of 2025 (H1 2025) reflected a rapidly evolving threat landscape defined by the convergence of persistent legacy threats and advanced new tactics.
The total disclosed CVEs increased by 16% from H1 2024, and threat actors exploited 161 vulnerabilities with assigned CVEs, with nearly half linked to malware or ransomware campaigns. Microsoft remained the most targeted vendor, while edge security and gateway devices continued to be high-value targets for initial access. Malware activity was similarly dynamic: while law enforcement takedowns disrupted major players like LummaC2, a resurgence of legacy malware such as Sality indicated that old tools still offer utility for modern actors. Remote access trojans (RATs)
2024-10-21
Published
2025-01-07
Added to CISA KEV
Exploited in the wild