Threat Intel Solutions

* [Vulnerabilities -& Threats](/vulnerabilities-threats)* [Сloud Security](/cloud-security)* [Application Security](/application-security)* [Cyber Risk](/cyber-risk)Bypass Bug Revives Critical N-Day in Mitel MiCollab Bypass Bug Revives Critical N-Day in Mitel MiCollab=======================================================================================================A single barrier prevented attackers from exploiting a critical vulnerability in an enterprise collaboration platform. Now there’s a workaround. .jpg?width=100&auto=webp&quality=80&disable=upscale ‘Picture of Nate Nelson, Contributing Writer’) [Nate Nelson, Contributing Writer](/author/nate-nelson)December 5, 2024 4 Min Read  Source: Kristoffer Tripplaar via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/vulnerabilities-threats/bypass-bug-critical-n-day-mitel-micollab)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/vulnerabilities-threats/bypass-bug-critical-n-day-mitel-micollab)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/vulnerabilities-threats/bypass-bug-critical-n-day-mitel-micollab)[](https://www.reddit.com/submit?url=https://www.darkreading.com/vulnerabilities-threats/bypass-bug-critical-n-day-mitel-micollab&title=Bypass%20Bug%20Revives%20Critical%20N-Day%20in%20Mitel%20MiCollab)[](/cdn-cgi/l/email-protection#36094543545c5355420b744f4657454516744351166453405f4053451675445f425f55575a16781b72574f165f58167b5f42535a167b5f75595a5a575410575b460d5459524f0b7f130406425e5943515e42130406425e5313040650595a5a59415f58511304065044595b1304067257445d130406645357525f58511304065b5f515e421304065f584253445345421304064f594318130672130677130672130677130406744f465745451304067443511304066453405f40534513040675445f425f55575a130406781b72574f1304065f581304067b5f42535a1304067b5f75595a5a57541306721306775e42424645130577130470130470414141185257445d445357525f58511855595b13047040435a58534457545f5a5f425f53451b425e4453574245130470544f465745451b5443511b55445f425f55575a1b581b52574f1b5b5f42535a1b5b5f55595a5a5754) Two new vulnerabilities in Mitel’s MiCollab unified communications and collaboration (UCC) platform could help expose gobs of enterprise data.MiCollab is a cross-platform application on mobile devices and desktops that combines instant messaging, SMS, phone calls, video calls, file sharing, remote desktop sharing — really any form of collaboration that occurs within an organization, save talking out loud. Organizations rely on it heavily for day-to-day business operations and, invariably, to house large amounts of personal and communications data.That’s what made CVE-2024-35286 so inconvenient when it was discovered earlier this year. This SQL injection vulnerability, resulting from a lack of user input sanitization, earned a ‘critical’ 9.8 score in the Common Vulnerability Scoring System (CVSS) for how it allowed attackers to access important business data, and execute database and management operations at will. It came with a catch, though: A specific configuration was required to reach the vulnerable endpoint, where the treasure lay.In a new blog post, researchers from watchTowr noted that ‘No sensible admin would do this’ — referring to the undisclosed configuration — so the risk to reliable organizations was low. However, the researchers went on to discover [a path traversal vulnerability](https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/) in MiCollab — not to mention a third, arbitrary file-read vulnerability — which rendered that one lone defense moot.The New MiCollab Exploit Chain——————————At Black Hat six years ago, a researcher going by the moniker Orange Tsai presented research exposing issues with how Web applications handle [path normalization](https://www.darkreading.com/vulnerabilities-threats/path-traversal-bug-kyocera-office-printers). Using special characters in URLs, attackers could trick Web servers into giving them access to files and directories they shouldn’t be able to access. Researchers from watchTowr put this logic to the test while toying with CVE-2024-35286. Working with an Apache configuration for MiCollab published to the Web back in 2009, they discovered that they could use the input ‘..;/’ to bypass all roadblocks on the way to the vulnerable endpoint — ‘/npm-admin’ from the NuPoint Unified Messaging (UM) component of the platform — with no authentication required. This stacked vulnerability was acknowledged as CVE-2024-41713, and given a ‘high’ CVSS score of 7.5.CVE-2024-41713 gave new life to the older CVE-2024-35286, and then the researchers discovered yet another zero-day allowing for arbitrary file read, which hasn’t been assigned a CVE label or CVSS score. The three work best in combination: CVE-2024-41713 lubricating initial access, the arbitrary file-read issue providing visibility into files across the system, and CVE-2024-35286 enabling any number of malicious operations thereon. For its part, watchTowr published a [proof-of-concept (PoC) exploit](https://github.com/watchtowrlabs/Mitel-MiCollab-Auth-Bypass_CVE-2024-41713) to GitHub that combines the first two.’Based on public sources, there are over 10,000 publicly exposed Mitel MiCollab devices,’ notes Mayuresh Dani, manager of security research at the Qualys Threat Research Unit. ‘Provided that NuPoint Unified Messaging (NPM) is enabled, a remote threat actor can use CVE-2024-41713 and the -[file-read-] zero-day to access arbitrary files on affected devices.’Which is exactly what the proof-of-concept code does, he adds. ‘It does so by accessing the npm-pwg directory and invoking the Reconcile Wizard, which is normally used to generate system reports. If the attacker gets ahold of sensitive files containing authentication information on the device, this could be used to gain access to the device and possibly snoop on conversations flowing through the vulnerable instance.’Hacking Enterprise Communications———————————An email arrives in an employee’s inbox from their boss. ‘Hi, please wire a payment to our contractor at -[bank account number-] immediately.’ The number one thing employees are told, to screen scams like this, is to call their boss to confirm the legitimacy of the email. But what if their phone system itself is breached?’The vulnerabilities in Mitel MiCollab highlight a growing trend of attackers targeting communication platforms to gain access to sensitive systems,’ says Callie Guenther, senior manager of cyber threat research at Critical Start. Besides intercepting or blocking an organization’s central lines of communication, snooping on employees, or simply causing a general havoc, attackers can also use a platform like MiCollab to facilitate any number of other kinds of cyberattacks. ‘Similar issues have been exploited in the past, such as [the 2022 Mitel MiVoice Connect vulnerability (CVE-2022-29499)](https://www.darkreading.com/vulnerabilities-threats/lorenz-ransomware-smbs-mitel-voip-phone-systems), which ransomware groups used to deploy Web shells and move laterally through networks,’ she notes.Both named CVEs have been patched as of Oct. 9. Mitel acknowledged the arbitrary file-read bug, but hasn’t yet patched it at the time of publication. Organizations with MiCollab up to date are covered most of the way, though, as this last issue requires authentication to exploit. [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/vulnerabilities-threats/bypass-bug-critical-n-day-mitel-micollab)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/vulnerabilities-threats/bypass-bug-critical-n-day-mitel-micollab)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/vulnerabilities-threats/bypass-bug-critical-n-day-mitel-micollab)[](https://www.reddit.com/submit?url=https://www.darkreading.com/vulnerabilities-threats/bypass-bug-critical-n-day-mitel-micollab&title=Bypass%20Bug%20Revives%20Critical%20N-Day%20in%20Mitel%20MiCollab)[](/cdn-cgi/l/email-protection#d1eea2a4b3bbb4b2a5ec93a8a1b0a2a2f193a4b6f183b4a7b8a7b4a2f192a3b8a5b8b2b0bdf19ffc95b0a8f1b8bff19cb8a5b4bdf19cb892bebdbdb0b3f7b0bca1eab3beb5a8ec98f4e3e1a5b9bea4b6b9a5f4e3e1a5b9b4f4e3e1b7bebdbdbea6b8bfb6f4e3e1b7a3bebcf4e3e195b0a3baf4e3e183b4b0b5b8bfb6f4e3e1bcb8b6b9a5f4e3e1b8bfa5b4a3b4a2a5f4e3e1a8bea4fff4e195f4e190f4e195f4e190f4e3e193a8a1b0a2a2f4e3e193a4b6f4e3e183b4a7b8a7b4a2f4e3e192a3b8a5b8b2b0bdf4e3e19ffc95b0a8f4e3e1b8bff4e3e19cb8a5b4bdf4e3e19cb892bebdbdb0b3f4e195f4e190b9a5a5a1a2f4e290f4e397f4e397a6a6a6ffb5b0a3baa3b4b0b5b8bfb6ffb2bebcf4e397a7a4bdbfb4a3b0b3b8bdb8a5b8b4a2fca5b9a3b4b0a5a2f4e397b3a8a1b0a2a2fcb3a4b6fcb2a3b8a5b8b2b0bdfcbffcb5b0a8fcbcb8a5b4bdfcbcb8b2bebdbdb0b3) About the Author—————-.jpg?width=400&auto=webp&quality=80&disable=upscale ‘Nate Nelson, Contributing Writer’) [Nate Nelson, Contributing Writer](/author/nate-nelson)
Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes ‘Malicious Life’ — an award-winning Top 20 tech podcast on Apple and Spotify — and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts ‘The Industrial Security Podcast,’ the most popular show in its field. [See more from Nate Nelson, Contributing Writer](/author/nate-nelson) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi)You May Also Like*** ** * ** ***More Insights Events* [Cybersecurity Outlook 2025](https://darkreading.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7201&ch=SBX&cid=_session_16.500326&_mc=_session_16.500326)Dec 5, 2024[More Events](/events) ### Editor’s Choice[American and Chinese flags on computer keyboard keys ](/cyberattacks-data-breaches/cisa-issue-guidance-telecoms-salt-typhoon-threat)[Cyberattacks -& Data Breaches](/cyberattacks-data-breaches) [CISA Issues Guidance to Telecom Sector on Salt Typhoon Threat](/cyberattacks-data-breaches/cisa-issue-guidance-telecoms-salt-typhoon-threat)[CISA Issues Guidance to Telecom Sector on Salt Typhoon Threat](/cyberattacks-data-breaches/cisa-issue-guidance-telecoms-salt-typhoon-threat) by[Jai Vijayan, Contributing Writer](/author/jai-vijayan) Dec 4, 2024 4 Min Read [Digital illustration of a winged horse with two horns on its head ](/endpoint-security/pegasus-spyware-infections-ios-android-devices)[Endpoint Security](/endpoint-security) [Pegasus Spyware Infections Proliferate Across iOS, Android Devices](/endpoint-security/pegasus-spyware-infections-ios-android-devices)[Pegasus Spyware Infections Proliferate Across iOS, Android Devices](/endpoint-security/pegasus-spyware-infections-ios-android-devices) by[Elizabeth Montalbano, Contributing Writer](/author/elizabeth-montalbano) Dec 4, 2024 3 Min Read [PRESS RELEASE ](/endpoint-security/wyden-and-schmitt-call-for-investigation-of-the-pentagon-s-failure-to-secure-its-phone-systems-against-foreign-spies)[Endpoint Security](/endpoint-security) [Wyden and Schmitt Call for Investigation of Pentagon’s Phone Systems](/endpoint-security/wyden-and-schmitt-call-for-investigation-of-the-pentagon-s-failure-to-secure-its-phone-systems-against-foreign-spies)[Wyden and Schmitt Call for Investigation of Pentagon’s Phone Systems](/endpoint-security/wyden-and-schmitt-call-for-investigation-of-the-pentagon-s-failure-to-secure-its-phone-systems-against-foreign-spies) Dec 4, 2024 2 Min Read Reports* [Managing Third-Party Risk Through Situational Awareness](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cybo171&ch=&cid=_analytics_7.300006016&_mc=_analytics_7.300006016)Jul 31, 2024* [2024 InformationWeek US IT Salary Report](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_ingg253&ch=sbx&cid=_analytics_7.300006014&_mc=_analytics_7.300006014)May 29, 2024[More Reports](/resources?types=Report) White Papers* [The Future of Cybersecurity is Passwordless and Keyless](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7445&ch=SBX&cid=_whitepaper_14.500005843&_mc=_whitepaper_14.500005843)* [The Definitive Guide to Container Security](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo249&ch=SBX&cid=_whitepaper_14.500005836&_mc=_whitepaper_14.500005836)* [The State of Cloud Native Security Report 2024](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo245&ch=SBX&cid=_whitepaper_14.500005832&_mc=_whitepaper_14.500005832)* [Purple AI Datasheet](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_senu27&ch=SBX&cid=_whitepaper_14.500005774&_mc=_whitepaper_14.500005774)* [5 Essential Insights into Generative AI for Security Leaders](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_senu26&ch=SBX&cid=_whitepaper_14.500005772&_mc=_whitepaper_14.500005772)[More Whitepapers](/resources?types=Whitepaper) Events* [Cybersecurity Outlook 2025](https://darkreading.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7201&ch=SBX&cid=_session_16.500326&_mc=_session_16.500326)Dec 5, 2024[More Events](/events)

Related Tags:
CVE-2024-35286

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 336 – Transportation Equipment Manufacturing

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 33 – Manufacturing – Metal

Electronics And Other

CVE-2022-29499

Blog: Dark Reading

Phishing: Spearphishing Attachment

Phishing

Associated Indicators: