CVE-2024-55550
published 2024-12-10CVE-2024-55550: Mitel MiCollab through 9.8 SP2 could allow an authenticated attacker with administrative privilege to conduct a local file read, due to insufficient input…
PriorityP272low2.7CVSS 3.1
AVNACLPRHUINSUCLINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-01-28
Exploited in the wild
EPSS
37.50%
98.3th percentile
Mitel MiCollab through 9.8 SP2 could allow an authenticated attacker with administrative privilege to conduct a local file read, due to insufficient input sanitization. A successful exploit could allow the authenticated admin attacker to access resources that are constrained to the admin access level, and the disclosure is limited to non-sensitive system information. This vulnerability does not allow file modification or privilege escalation.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mitel | micollab | <= 9.8.1.201 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mitel MiCollab Unauthenticated Path Traversal (CVE-2024-41713)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/npm-pwg/|2e 2e 3b|/ReconcileWizard/reconcilewizard/sc/IDACall|3f|"; fast_pattern; http.request_body; content:"|5f|transaction|3d|"; content:"reportName"; distance:0; pcre:"/^(?:\x3e|%3[eE])[\x3c]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/; reference:cve,2024-41713; reference:cve,2024-55550; classtype:web-application-attack; sid:2058078; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_12_05, cve CVE_2024_41713_CVE_2024_55550, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_12_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)yara↗
regex: micollab_api:.*:.*
- →Detect path traversal attempts using the '..;/' bypass sequence in HTTP URI targeting the /npm-pwg/ endpoint on MiCollab servers. The Snort/Suricata rule matches POST requests to /npm-pwg/|2e 2e 3b|/ReconcileWizard/reconcilewizard/sc/IDACall with a 'reportName' body parameter containing path traversal sequences.
- →CVE-2024-55550 is frequently chained with CVE-2024-41713: an unauthenticated attacker first exploits CVE-2024-41713 (NuPoint Unified Messaging path traversal) to bypass authentication, then leverages CVE-2024-55550 to read arbitrary files. Monitor for sequential exploitation of both paths. ↗
- →The exploit POST body contains a URL-encoded XML transaction with a 'reportName' parameter set to a path traversal string (e.g., ../../../etc/passwd). Decode and inspect POST bodies to /IDACall endpoints for such patterns.
- →Shodan/FOFA can be used to identify exposed MiCollab instances as attack surface. Defenders should audit internet-facing assets matching these queries.
- →Successful exploitation response body will contain /etc/passwd content. Monitor HTTP responses from MiCollab servers for patterns matching 'root:.*:0:0:' or 'micollab_api:.*:.*' which indicate successful file read.
- ·The Nuclei template description and CISA KEV entry describe CVE-2024-55550 as requiring authentication (admin privileges), but the Nuclei template itself and its description treat it as unauthenticated. The authoritative NVD/CISA entries confirm it requires an authenticated admin attacker. The template may conflate CVE-2024-55550 with CVE-2024-41713 behavior. ↗
- ·The Snort rule (sid:2058078) is primarily attributed to CVE-2024-41713 but references CVE-2024-55550 as well, reflecting the chained exploitation scenario. Triggering this rule alone does not confirm CVE-2024-55550 exploitation specifically.
- ·Exploitation impact is limited: successful exploitation does not allow file modification or privilege escalation, and accessible files are described as non-sensitive system information when exploited standalone (without chaining with CVE-2024-41713). ↗
CVSS provenance
nvdv3.12.7LOWCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Mitel MiCollab Path Traversal Vulnerability
cisa·2025-01-07·CVSS 9.1
CVE-2024-55550 [CRITICAL] CWE-22 Mitel MiCollab Path Traversal Vulnerability
Vulnerability: Mitel MiCollab Path Traversal Vulnerability
Affected: Mitel MiCollab
Mitel MiCollab contains a path traversal vulnerability that could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input sanitization. This vulnerability can be chained with CVE-2024-41713, which allows an unauthenticated, remote attacker to read arbitrary files on the server.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029 ; https://nvd.nist.gov/vuln/detail/CVE-2024-55550
Remediation Due Date: 2025-01-28
CISA
Mitel MiCollab Path Traversal Vulnerability
cisa·2025-01-07·CVSS 9.1
CVE-2024-41713 [CRITICAL] CWE-22 Mitel MiCollab Path Traversal Vulnerability
Vulnerability: Mitel MiCollab Path Traversal Vulnerability
Affected: Mitel MiCollab
Mitel MiCollab contains a path traversal vulnerability that could allow an attacker to gain unauthorized and unauthenticated access. This vulnerability can be chained with CVE-2024-55550, which allows an unauthenticated, remote attacker to read arbitrary files on the server.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029 ; https://nvd.nist.gov/vuln/detail/CVE-2024-41713
Remediation Due Date: 2025-01-28
GHSA
GHSA-4c8h-4mm2-mm5g: Mitel MiCollab through 9
ghsa_unreviewed·2024-12-10
CVE-2024-55550 [MEDIUM] CWE-125 GHSA-4c8h-4mm2-mm5g: Mitel MiCollab through 9
Mitel MiCollab through 9.8 SP2 could allow an authenticated attacker with administrative privilege to conduct a local file read, due to insufficient input sanitization. A successful exploit could allow the authenticated admin attacker to access resources that are constrained to the admin access level, and the disclosure is limited to non-sensitive system information. This vulnerability does not allow file modification or privilege escalation.
VulnCheck
Mitel MiCollab Path Traversal Vulnerability
vulncheck·2024·CVSS 9.1
CVE-2024-41713 [CRITICAL] CWE-22 Mitel MiCollab Path Traversal Vulnerability
Mitel MiCollab Path Traversal Vulnerability
Mitel MiCollab contains a path traversal vulnerability that could allow an attacker to gain unauthorized and unauthenticated access. This vulnerability can be chained with CVE-2024-55550, which allows an unauthenticated, remote attacker to read arbitrary files on the server.
Affected: Mitel MiCollab
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.greynoise.io/blog/from-poc-to-attacker-interest-in-hours-real-time-insights-into-mitel-micollab-vulnerabilities; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-12-11&host_type=src&vulnerability=cve-2024-41713; https
VulnCheck
Mitel MiCollab Path Traversal Vulnerability
vulncheck·2024·CVSS 9.1
CVE-2024-55550 [CRITICAL] CWE-22 Mitel MiCollab Path Traversal Vulnerability
Mitel MiCollab Path Traversal Vulnerability
Mitel MiCollab contains a path traversal vulnerability that could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input sanitization. This vulnerability can be chained with CVE-2024-41713, which allows an unauthenticated, remote attacker to read arbitrary files on the server.
Affected: Mitel MiCollab
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://digital.nhs.uk/cyber-alerts/2024/cc-4588; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.coveware.com/blog/2025/4/29/the-organizati
Suricata
ET WEB_SPECIFIC_APPS Mitel MiCollab Unauthenticated Path Traversal (CVE-2024-41713)
suricata·2024-12-05·CVSS 9.1
CVE-2024-41713 [CRITICAL] ET WEB_SPECIFIC_APPS Mitel MiCollab Unauthenticated Path Traversal (CVE-2024-41713)
ET WEB_SPECIFIC_APPS Mitel MiCollab Unauthenticated Path Traversal (CVE-2024-41713)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mitel MiCollab Unauthenticated Path Traversal (CVE-2024-41713)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/npm-pwg/|2e 2e 3b|/ReconcileWizard/reconcilewizard/sc/IDACall|3f|"; fast_pattern; http.request_body; content:"|5f|transaction|3d|"; content:"reportName"; distance:0; pcre:"/^(?:\x3e|%3[eE])[\x3c]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/; reference:cve,2024-41713; reference:cve,2024-55550; classtype:web-application-attack; sid:2058078; rev:1; meta
Nuclei
Mitel MiCollab - Arbitary File Read
nuclei·CVSS 9.1
CVE-2024-55550 [CRITICAL] Mitel MiCollab - Arbitary File Read
Mitel MiCollab - Arbitary File Read
The Mitel Collab Arbitrary File Read vulnerability allows an unauthenticated attacker to read arbitrary files from the underlying file system on a Mitel Collab server. Exploiting this flaw involves sending specially crafted requests to the server, bypassing access controls and allowing the attacker to retrieve sensitive files.
Template:
id: CVE-2024-55550
info:
name: Mitel MiCollab - Arbitary File Read
author: DhiyaneshDk,watchTowr
severity: critical
description: |
The Mitel Collab Arbitrary File Read vulnerability allows an unauthenticated attacker to read arbitrary files from the underlying file system on a Mitel Collab server. Exploiting this flaw involves sending specially crafted requests to the server, bypassing access controls and allowing the
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Mitel warns of critical MiVoice MX-ONE authentication bypass flaw
blogs_bleepingcomputer·2025-07-24·CVSS 9.1
[CRITICAL] Mitel warns of critical MiVoice MX-ONE authentication bypass flaw
## Mitel warns of critical MiVoice MX-ONE authentication bypass flaw
## Sergiu Gatlan
Mitel Networks has released security updates to patch a critical-severity authentication bypass vulnerability impacting its MiVoice MX-ONE enterprise communications platform.
MX-ONE is the company's SIP-based communications system, which can scale to support hundreds of thousands of users.
The critical security flaw is due to an improper access control weakness discovered in the MiVoice MX-ONE Provisioning Manager component and has yet to be assigned a CVE ID. Unauthenticated attackers can exploit it in low-complexity attacks that don't require user interaction to gain unauthorized access to administrator accounts on unpatched systems.
According to Mitel, the vulnerability affects MiVoice MX-ONE runn
Bleepingcomputer
CISA warns of critical Oracle, Mitel flaws exploited in attacks
blogs_bleepingcomputer·2025-01-07·CVSS 9.8
CVE-2024-41713 [CRITICAL] CISA warns of critical Oracle, Mitel flaws exploited in attacks
## CISA warns of critical Oracle, Mitel flaws exploited in attacks
## Sergiu Gatlan
CISA has warned U.S. federal agencies to secure their systems against critical vulnerabilities in Oracle WebLogic Server and Mitel MiCollab systems that are actively exploited in attacks.
The cybersecurity agency added a critical path traversal vulnerability ( CVE-2024-41713 ) found in the NuPoint Unified Messaging (NPM) component Mitel's MiCollab unified communications platform to its Known Exploited Vulnerabilities Catalog .
This security bug allows attackers to perform unauthorized administrative actions and access user and network information.
"A successful exploit of this vulnerability could allow an attacker to gain unauthorized access, with potential impacts to the confidentiality, integrity, an
Recorded Future
H1 2025 Malware and Vulnerability Trends
blogs_recorded_future
H1 2025 Malware and Vulnerability Trends
## H1 2025 Malware and Vulnerability Trends
## Executive Summary
The first half of 2025 (H1 2025) reflected a rapidly evolving threat landscape defined by the convergence of persistent legacy threats and advanced new tactics.
The total disclosed CVEs increased by 16% from H1 2024, and threat actors exploited 161 vulnerabilities with assigned CVEs, with nearly half linked to malware or ransomware campaigns. Microsoft remained the most targeted vendor, while edge security and gateway devices continued to be high-value targets for initial access. Malware activity was similarly dynamic: while law enforcement takedowns disrupted major players like LummaC2, a resurgence of legacy malware such as Sality indicated that old tools still offer utility for modern actors. Remote access trojans (RATs
Recorded Future
H1 2025 Malware and Vulnerability Trends
blogs_recorded_future
H1 2025 Malware and Vulnerability Trends
# H1 2025 Malware and Vulnerability Trends
## Executive Summary
The first half of 2025 (H1 2025) reflected a rapidly evolving threat landscape defined by the convergence of persistent legacy threats and advanced new tactics.
The total disclosed CVEs increased by 16% from H1 2024, and threat actors exploited 161 vulnerabilities with assigned CVEs, with nearly half linked to malware or ransomware campaigns. Microsoft remained the most targeted vendor, while edge security and gateway devices continued to be high-value targets for initial access. Malware activity was similarly dynamic: while law enforcement takedowns disrupted major players like LummaC2, a resurgence of legacy malware such as Sality indicated that old tools still offer utility for modern actors. Remote access trojans (RATs)
2024-12-10
Published
2025-01-07
Added to CISA KEV
Exploited in the wild