PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files

#### [Cyber-crime](/security/cyber_crime/)**2** PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files==================================================================================**2** Still unpatched 100+ days later, watchTowr says———————————————–[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Fri 6 Dec 2024 // 06:01 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files) [](https://twitter.com/intent/tweet?text=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files&url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files&summary=Still%20unpatched%20100%2b%20days%20later%2c%20watchTowr%20says) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) A zero-day arbitrary file read vulnerability in Mitel MiCollab can be chained with a now-patched critical bug in the same platform to give attackers access to sensitive files on vulnerable instances.A proof-of-concept (PoC) exploit that strings together the two flaws, both spotted and disclosed to Mitel by watchTowr, which on Thursday [published the PoC](https://github.com/watchtowrlabs/Mitel-MiCollab-Auth-Bypass_CVE-2024-41713?ref=labs.watchtowr.com) after waiting 100-plus days for the vendor to issue a fix.*The Register* has reached out to Mitel for comment and did not immediately receive a response to our questions including when the zero-day will be patched. We will update this story if and when we hear back. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1LLvudWB_3OAvL82cNYCgAAAUM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)Mitel MiCollab, as the name suggests, is an enterprise collaboration tool that allows users to communicate and connect with employees and customers via a range of features including voice, video, chat messaging, SMS, web conferencing and file sharing. It’s widely used, boasting more than 16,000 instances across the Internet. And, as such, it’s a very attractive target for [ransomware gangs](https://www.theregister.com/2022/09/13/lorenz_ransomware_mitel_voip/) and other cybercriminals. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1LLvudWB_3OAvL82cNYCgAAAUM&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0) ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1LLvudWB_3OAvL82cNYCgAAAUM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)Back in May, watchTowr’s bug hunters discovered and disclosed to Mitel a [now-fixed](https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0014) critical SQL injection vulnerability in the NuPoint Unified Messaging (NPM) component of the MiCollab product. This 9.8-rated flaw is tracked as [CVE-2024-35286](https://nvd.nist.gov/vuln/detail/CVE-2024-35286), and could allow an unauthenticated attacker to access sensitive information and execute arbitrary database and management operations. The vendor closed the hole in May.* [Patch your Mitel VoIP systems, Lorenz ransomware gang is back on the prowl](https://www.theregister.com/2022/09/13/lorenz_ransomware_mitel_voip/)* [HTTP your way into Citrix’s Virtual Apps and Desktops with fresh exploit code](https://www.theregister.com/2024/11/12/http_citrix_vuln/)* [How $20 and a lapsed domain allowed security pros to undermine internet integrity](https://www.theregister.com/2024/09/11/watchtowr_black_hat_whois/)* [T-Mobile US CSO: Spies jumped from one telco to another in a way ‘I’ve not seen in my career’](https://www.theregister.com/2024/12/05/tmobile_cso_telecom_attack/)Additionally, the watchTowr team found and reported an authentication bypass vulnerability ([CVE-2024-41713](https://nvd.nist.gov/vuln/detail/CVE-2024-41713)) that also affects the NPM component of Mitel MiCollab.This one is due to insufficient input validation, and it could be abused to allow an unauthenticated attacker to conduct a path traversal attack, and thus view, corrupt, or delete users’ data and system configurations. Mitel [fixed](https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029) this one in October.While investigating these two security holes, watchTowr found a third flaw that hasn’t been assigned a CVE and doesn’t yet have a patch. It’s an arbitrary file read flaw that requires authentication to exploit — and this is why the PoC chains it with CVE-2024-41713, thus allowing an attacker to bypass authentication and then access files such as ‘/etc/passwd’ that contain account information. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1LLvudWB_3OAvL82cNYCgAAAUM&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)The researchers say they contacted Mitel about the arbitrary file read bug on August 26 and the vendor, in October, promised a patch the first week in December.’Unfortunately, we’re past this period and have not seen any updates on Mitel’s Security Advisory page,’ according to a watchTowr [report](https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/) about the three bugs published on Thursday. ‘Since our disclosure email was sent over 100 days ago, we’ve decided to proceed and include this vulnerability within our blog post – but as of writing, it remains unpatched (albeit post-auth).’ ® [Sponsored: When AI assistants leak secrets, prevention beats cure](https://go.theregister.com/tl/3106/shttps://www.theregister.com/2024/11/15/when_ai_assistants_leak_secrets/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files) [](https://twitter.com/intent/tweet?text=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files&url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files&summary=Still%20unpatched%20100%2b%20days%20later%2c%20watchTowr%20says) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Mitel](/Tag/Mitel/)* [Security](/Tag/Security/)* [Vulnerability](/Tag/Vulnerability/) More like these × ### More about* [Mitel](/Tag/Mitel/)* [Security](/Tag/Security/)* [Vulnerability](/Tag/Vulnerability/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Wannacry](/Tag/Wannacry/)* [Y2K](/Tag/Y2K/)* [Zero Day Initiative](/Tag/Zero%20Day%20Initiative/)* [Zero trust](/Tag/Zero%20trust/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files) [](https://twitter.com/intent/tweet?text=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files&url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files&summary=Still%20unpatched%20100%2b%20days%20later%2c%20watchTowr%20says) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **2** COMMENTS #### More about* [Mitel](/Tag/Mitel/)* [Security](/Tag/Security/)* [Vulnerability](/Tag/Vulnerability/) More like these × ### More about* [Mitel](/Tag/Mitel/)* [Security](/Tag/Security/)* [Vulnerability](/Tag/Vulnerability/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Wannacry](/Tag/Wannacry/)* [Y2K](/Tag/Y2K/)* [Zero Day Initiative](/Tag/Zero%20Day%20Initiative/)* [Zero trust](/Tag/Zero%20trust/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### AWS unveils cloud security IR service for a mere $7K a monthRe:Invent Tap into the infinite scalability… of pricingSecurity3 days -| 5](/2024/12/03/amazon_cloud_security_incident_response/?td=keepreading) [#### Perfect 10 directory traversal vuln hits SailPoint’s IAM solutionUpdated 20-year-old info disclosure class bug still pervades security softwarePatches2 days -| 6](/2024/12/03/sailpoint_identityiq_vulnerability/?td=keepreading) [#### Zabbix urges upgrades after critical SQL injection bug disclosureUS agencies blasted ‘unforgivable’ SQLi flaws earlier this yearPatches7 days -| 7](/2024/11/29/zabbix_urges_upgrades_after_critical/?td=keepreading) [#### Why AI builds best on private cloudsAI projects under pressure to show real value in the tightest of timeframes might be worth keeping on-premisesSponsored Feature](/2024/10/29/why_ai_builds_best_on/?td=keepreading) [#### T-Mobile US CSO: Spies jumped from one telco to another in a way ‘I’ve not seen in my career’interview Security chief talks to El Reg as Feds urge everyone to use encrypted chatCSO1 day -| 44](/2024/12/05/tmobile_cso_telecom_attack/?td=keepreading) [#### Trump taps border hawk to head DHS. Will Noem’s ‘enthusiasm’ extend to digital domain?Analysis Meanwhile, CISA chief Jen Easterly will step down prior to inaugurationPublic Sector13 days -| 51](/2024/11/23/trump_noem_homeland_security/?td=keepreading) [#### US senators propose law to require bare minimum security standardsIn case anyone forgot about Change HealthcareSecurity10 days -| 15](/2024/11/26/us_senators_healthcare_cybersecurity/?td=keepreading) [#### QNAP and Veritas dump 30-plus vulns over the weekendUpdated Just what you want to find when you start a new weekPatches10 days -| 2](/2024/11/26/qnap_veritas_vulnerabilities/?td=keepreading) [#### Britain Putin up stronger AI defences to counter growing cyber threats’Be in no doubt: the UK and others in this room are watching Russia’Security10 days -| 26](/2024/11/26/uk_ai_security/?td=keepreading) [#### Security? We’ve heard of it: How Microsoft plans to better defend WindowsIgnite Did we say CrowdStrike? We meant, er, The July Incident…CSO11 days -| 27](/2024/11/25/microsoft_talks_up_beefier_windows/?td=keepreading) [#### Telco security is a dumpster fire and everyone’s getting burnedOpinion The politics of cybersecurity are too important to be left to the politiciansSecurity4 days -| 61](/2024/12/02/telco_security_opinion/?td=keepreading) [#### T-Mobile US takes a victory lap after stopping cyberattacks: ‘Other providers may be seeing different outcomes’Funny what putting more effort and resources into IT security can doCSO9 days -| 9](/2024/11/27/tmobile_cyberattack_victory_lap/?td=keepreading)

Related Tags:
CVE-2024-35286

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

Sodinokibi

REvil

Sodin

WanaCrypt0r

Associated Indicators:

Threat Intel Solutions

PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us