PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files

#### [Cyber-crime](/security/cyber_crime/)**2** PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files==================================================================================**2** Still unpatched 100+ days later, watchTowr says———————————————–[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Fri 6 Dec 2024 // 06:01 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files) [](https://twitter.com/intent/tweet?text=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files&url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files&summary=Still%20unpatched%20100%2b%20days%20later%2c%20watchTowr%20says) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) A zero-day arbitrary file read vulnerability in Mitel MiCollab can be chained with a now-patched critical bug in the same platform to give attackers access to sensitive files on vulnerable instances.A proof-of-concept (PoC) exploit that strings together the two flaws, both spotted and disclosed to Mitel by watchTowr, which on Thursday [published the PoC](https://github.com/watchtowrlabs/Mitel-MiCollab-Auth-Bypass_CVE-2024-41713?ref=labs.watchtowr.com) after waiting 100-plus days for the vendor to issue a fix.*The Register* has reached out to Mitel for comment and did not immediately receive a response to our questions including when the zero-day will be patched. We will update this story if and when we hear back. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1LLvudWB_3OAvL82cNYCgAAAUM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)Mitel MiCollab, as the name suggests, is an enterprise collaboration tool that allows users to communicate and connect with employees and customers via a range of features including voice, video, chat messaging, SMS, web conferencing and file sharing. It’s widely used, boasting more than 16,000 instances across the Internet. And, as such, it’s a very attractive target for [ransomware gangs](https://www.theregister.com/2022/09/13/lorenz_ransomware_mitel_voip/) and other cybercriminals. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1LLvudWB_3OAvL82cNYCgAAAUM&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0) ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1LLvudWB_3OAvL82cNYCgAAAUM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)Back in May, watchTowr’s bug hunters discovered and disclosed to Mitel a [now-fixed](https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0014) critical SQL injection vulnerability in the NuPoint Unified Messaging (NPM) component of the MiCollab product. This 9.8-rated flaw is tracked as [CVE-2024-35286](https://nvd.nist.gov/vuln/detail/CVE-2024-35286), and could allow an unauthenticated attacker to access sensitive information and execute arbitrary database and management operations. The vendor closed the hole in May.* [Patch your Mitel VoIP systems, Lorenz ransomware gang is back on the prowl](https://www.theregister.com/2022/09/13/lorenz_ransomware_mitel_voip/)* [HTTP your way into Citrix’s Virtual Apps and Desktops with fresh exploit code](https://www.theregister.com/2024/11/12/http_citrix_vuln/)* [How $20 and a lapsed domain allowed security pros to undermine internet integrity](https://www.theregister.com/2024/09/11/watchtowr_black_hat_whois/)* [T-Mobile US CSO: Spies jumped from one telco to another in a way ‘I’ve not seen in my career’](https://www.theregister.com/2024/12/05/tmobile_cso_telecom_attack/)Additionally, the watchTowr team found and reported an authentication bypass vulnerability ([CVE-2024-41713](https://nvd.nist.gov/vuln/detail/CVE-2024-41713)) that also affects the NPM component of Mitel MiCollab.This one is due to insufficient input validation, and it could be abused to allow an unauthenticated attacker to conduct a path traversal attack, and thus view, corrupt, or delete users’ data and system configurations. Mitel [fixed](https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029) this one in October.While investigating these two security holes, watchTowr found a third flaw that hasn’t been assigned a CVE and doesn’t yet have a patch. It’s an arbitrary file read flaw that requires authentication to exploit — and this is why the PoC chains it with CVE-2024-41713, thus allowing an attacker to bypass authentication and then access files such as ‘/etc/passwd’ that contain account information. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1LLvudWB_3OAvL82cNYCgAAAUM&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)The researchers say they contacted Mitel about the arbitrary file read bug on August 26 and the vendor, in October, promised a patch the first week in December.’Unfortunately, we’re past this period and have not seen any updates on Mitel’s Security Advisory page,’ according to a watchTowr [report](https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/) about the three bugs published on Thursday. ‘Since our disclosure email was sent over 100 days ago, we’ve decided to proceed and include this vulnerability within our blog post – but as of writing, it remains unpatched (albeit post-auth).’ ® [Sponsored: When AI assistants leak secrets, prevention beats cure](https://go.theregister.com/tl/3106/shttps://www.theregister.com/2024/11/15/when_ai_assistants_leak_secrets/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files) [](https://twitter.com/intent/tweet?text=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files&url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files&summary=Still%20unpatched%20100%2b%20days%20later%2c%20watchTowr%20says) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Mitel](/Tag/Mitel/)* [Security](/Tag/Security/)* [Vulnerability](/Tag/Vulnerability/) More like these × ### More about* [Mitel](/Tag/Mitel/)* [Security](/Tag/Security/)* [Vulnerability](/Tag/Vulnerability/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Wannacry](/Tag/Wannacry/)* [Y2K](/Tag/Y2K/)* [Zero Day Initiative](/Tag/Zero%20Day%20Initiative/)* [Zero trust](/Tag/Zero%20trust/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files) [](https://twitter.com/intent/tweet?text=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files&url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=PoC%20exploit%20chains%20Mitel%20MiCollab%200-day%2c%20auth-bypass%20bug%20to%20access%20sensitive%20files&summary=Still%20unpatched%20100%2b%20days%20later%2c%20watchTowr%20says) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/12/06/mitel_micollab_0day/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **2** COMMENTS #### More about* [Mitel](/Tag/Mitel/)* [Security](/Tag/Security/)* [Vulnerability](/Tag/Vulnerability/) More like these × ### More about* [Mitel](/Tag/Mitel/)* [Security](/Tag/Security/)* [Vulnerability](/Tag/Vulnerability/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Wannacry](/Tag/Wannacry/)* [Y2K](/Tag/Y2K/)* [Zero Day Initiative](/Tag/Zero%20Day%20Initiative/)* [Zero trust](/Tag/Zero%20trust/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### AWS unveils cloud security IR service for a mere $7K a monthRe:Invent Tap into the infinite scalability… of pricingSecurity3 days -| 5](/2024/12/03/amazon_cloud_security_incident_response/?td=keepreading) [#### Perfect 10 directory traversal vuln hits SailPoint’s IAM solutionUpdated 20-year-old info disclosure class bug still pervades security softwarePatches2 days -| 6](/2024/12/03/sailpoint_identityiq_vulnerability/?td=keepreading) [#### Zabbix urges upgrades after critical SQL injection bug disclosureUS agencies blasted ‘unforgivable’ SQLi flaws earlier this yearPatches7 days -| 7](/2024/11/29/zabbix_urges_upgrades_after_critical/?td=keepreading) [#### Why AI builds best on private cloudsAI projects under pressure to show real value in the tightest of timeframes might be worth keeping on-premisesSponsored Feature](/2024/10/29/why_ai_builds_best_on/?td=keepreading) [#### T-Mobile US CSO: Spies jumped from one telco to another in a way ‘I’ve not seen in my career’interview Security chief talks to El Reg as Feds urge everyone to use encrypted chatCSO1 day -| 44](/2024/12/05/tmobile_cso_telecom_attack/?td=keepreading) [#### Trump taps border hawk to head DHS. Will Noem’s ‘enthusiasm’ extend to digital domain?Analysis Meanwhile, CISA chief Jen Easterly will step down prior to inaugurationPublic Sector13 days -| 51](/2024/11/23/trump_noem_homeland_security/?td=keepreading) [#### US senators propose law to require bare minimum security standardsIn case anyone forgot about Change HealthcareSecurity10 days -| 15](/2024/11/26/us_senators_healthcare_cybersecurity/?td=keepreading) [#### QNAP and Veritas dump 30-plus vulns over the weekendUpdated Just what you want to find when you start a new weekPatches10 days -| 2](/2024/11/26/qnap_veritas_vulnerabilities/?td=keepreading) [#### Britain Putin up stronger AI defences to counter growing cyber threats’Be in no doubt: the UK and others in this room are watching Russia’Security10 days -| 26](/2024/11/26/uk_ai_security/?td=keepreading) [#### Security? We’ve heard of it: How Microsoft plans to better defend WindowsIgnite Did we say CrowdStrike? We meant, er, The July Incident…CSO11 days -| 27](/2024/11/25/microsoft_talks_up_beefier_windows/?td=keepreading) [#### Telco security is a dumpster fire and everyone’s getting burnedOpinion The politics of cybersecurity are too important to be left to the politiciansSecurity4 days -| 61](/2024/12/02/telco_security_opinion/?td=keepreading) [#### T-Mobile US takes a victory lap after stopping cyberattacks: ‘Other providers may be seeing different outcomes’Funny what putting more effort and resources into IT security can doCSO9 days -| 9](/2024/11/27/tmobile_cyberattack_victory_lap/?td=keepreading)

Related Tags:
CVE-2024-35286

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

Sodinokibi

REvil

Sodin

WanaCrypt0r

Associated Indicators:

Threat Intel Solutions

PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files

Search

Popular Posts

2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

MintsLoader: StealC and BOINC Delivery

Categories

Archives

Tags

Follow Us