cbcvebase.
CVE-2024-55550
published 2024-12-10

CVE-2024-55550: Mitel MiCollab through 9.8 SP2 could allow an authenticated attacker with administrative privilege to conduct a local file read, due to insufficient input…

PriorityP272low2.7CVSS 3.1
AVNACLPRHUINSUCLINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-01-28
Exploited in the wild
EPSS
37.50%
98.3th percentile
Mitel MiCollab through 9.8 SP2 could allow an authenticated attacker with administrative privilege to conduct a local file read, due to insufficient input sanitization. A successful exploit could allow the authenticated admin attacker to access resources that are constrained to the admin access level, and the disclosure is limited to non-sensitive system information. This vulnerability does not allow file modification or privilege escalation.

Affected

1 ranges
VendorProductVersion rangeFixed in
mitelmicollab<= 9.8.1.201

Detection & IOCsextracted from sources · hover to see the quote

urlGET /npm-pwg/..;/usp/searchUsers.do HTTP/1.1
urlPOST /npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall?isc_rpc=1&isc_v=&isc_tnum=2
path/npm-pwg/..;/usp/searchUsers.do
path/npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mitel MiCollab Unauthenticated Path Traversal (CVE-2024-41713)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/npm-pwg/|2e 2e 3b|/ReconcileWizard/reconcilewizard/sc/IDACall|3f|"; fast_pattern; http.request_body; content:"|5f|transaction|3d|"; content:"reportName"; distance:0; pcre:"/^(?:\x3e|%3[eE])[\x3c]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/; reference:cve,2024-41713; reference:cve,2024-55550; classtype:web-application-attack; sid:2058078; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_12_05, cve CVE_2024_41713_CVE_2024_55550, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_12_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
yara
regex: micollab_api:.*:.*
  • Detect path traversal attempts using the '..;/' bypass sequence in HTTP URI targeting the /npm-pwg/ endpoint on MiCollab servers. The Snort/Suricata rule matches POST requests to /npm-pwg/|2e 2e 3b|/ReconcileWizard/reconcilewizard/sc/IDACall with a 'reportName' body parameter containing path traversal sequences.
  • CVE-2024-55550 is frequently chained with CVE-2024-41713: an unauthenticated attacker first exploits CVE-2024-41713 (NuPoint Unified Messaging path traversal) to bypass authentication, then leverages CVE-2024-55550 to read arbitrary files. Monitor for sequential exploitation of both paths.
  • The exploit POST body contains a URL-encoded XML transaction with a 'reportName' parameter set to a path traversal string (e.g., ../../../etc/passwd). Decode and inspect POST bodies to /IDACall endpoints for such patterns.
  • Shodan/FOFA can be used to identify exposed MiCollab instances as attack surface. Defenders should audit internet-facing assets matching these queries.
  • Successful exploitation response body will contain /etc/passwd content. Monitor HTTP responses from MiCollab servers for patterns matching 'root:.*:0:0:' or 'micollab_api:.*:.*' which indicate successful file read.
  • ·The Nuclei template description and CISA KEV entry describe CVE-2024-55550 as requiring authentication (admin privileges), but the Nuclei template itself and its description treat it as unauthenticated. The authoritative NVD/CISA entries confirm it requires an authenticated admin attacker. The template may conflate CVE-2024-55550 with CVE-2024-41713 behavior.
  • ·The Snort rule (sid:2058078) is primarily attributed to CVE-2024-41713 but references CVE-2024-55550 as well, reflecting the chained exploitation scenario. Triggering this rule alone does not confirm CVE-2024-55550 exploitation specifically.
  • ·Exploitation impact is limited: successful exploitation does not allow file modification or privilege escalation, and accessible files are described as non-sensitive system information when exploited standalone (without chaining with CVE-2024-41713).

CVSS provenance

nvdv3.12.7LOWCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.