cbcvebase.
CVE-2025-47188
published 2025-08-07

CVE-2025-47188: A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4…

PriorityP181medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
48.49%
98.7th percentile
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1 R0.1.0, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit could allow an attacker to execute arbitrary commands within the context of the phone, leading to disclosure or modification of sensitive configuration data or affecting device availability and operation.

Detection & IOCsextracted from sources · hover to see the quote

port49249/tcp
url/cgi-bin/webconfig?page=upload_ringtone&action=submit
path/cgi-bin/webconfig
commandfake$(sh ${HOME}userdata${HOME}ringtone${HOME}{{random_number}}.txt).wav
othericon_hash="-1940372141" || icon_hash="-447557905"
bytes
524946462400000057415645666d7420100000000100010044ac000088580100020010006461746100000000
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mitel webconfig upload_ringtone Unauthenticated Command Injection/File Upload Attempt (CVE-2025-47188, CVE-2025-47187)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/webconfig|3f|"; startswith; content:"page|3d|upload_ringtone"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|upload_ringtone/newfile|22 3b 20|filename|3d 22|"; content:"RIFF|24|"; distance:0; content:"WAVEfmt"; within:20; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,labs.infoguard.ch/posts/cve-2025-47188_mitel_phone_unauthenticated_rce/; reference:cve,2025-47188; reference:cve,2025-47187; classtype:web-application-attack; sid:2063686; rev:1; metadata:affected_product Mitel, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_23, cve CVE_2025_47188_CVE_2025_47187, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit uses a two-stage HTTP POST attack: first uploads a disguised WAV file (valid RIFF/WAVE header) containing a shell command to the ringtone upload endpoint, then triggers execution via a crafted filename containing shell metacharacters (e.g., $(...)) in a second POST request.
  • The injected command payload is embedded in the multipart filename field using shell command substitution syntax: `fake$(sh ${HOME}userdata${HOME}ringtone${HOME}<name>.txt).wav` — detect shell metacharacters ($, ;, |, `, newline) in the filename parameter of upload_ringtone multipart requests.
  • The WAV bypass file starts with a valid RIFF/WAVE header (magic bytes: 52 49 46 46 ... 57 41 56 45 66 6d 74) to pass file-type validation, followed by the injected shell command payload.
  • The exploit is unauthenticated — no session cookie or credentials are required. Alert on POST requests to /cgi-bin/webconfig with page=upload_ringtone from unauthenticated sources.
  • Snort/Suricata PCRE for detecting shell injection characters in the request body after the filename field: `/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R`
  • OOB/OAST detection: successful exploitation causes the device to issue an outbound DNS/HTTP callback (curl to an interactsh/collaborator URL). Monitor for unexpected outbound HTTP/DNS from Mitel phone IP ranges.
  • Successful first-stage response contains the string 'ringtone.html' in the response body — use this as a confirmation indicator that the upload endpoint is reachable and accepted the file.
  • ·The Nuclei template targets port 49249/tcp specifically; standard web scanning on port 80/443 will miss this service. Ensure network monitoring and IDS rules cover this non-standard port.
  • ·The Snort rule (sid:2063686) is scoped to plaintext traffic only (tls_state plaintext) — TLS-encrypted sessions to the device will not be detected by this rule.
  • ·The vulnerability affects Mitel 6800, 6900, 6900w Series SIP Phones AND the 6970 Conference Unit through firmware 6.4 SP4 (R6.4.0.4006), as well as 6970 version V1 R0.1.0 — scope detection to all these device families.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.