ACSC publishes critical alert on Mitel MiCollab collaboration software
A pair of vulnerabilities in a popular collaboration suite could allow malicious actors to access sensitive data.
The Australian Signals Directorate’s Australian Cyber Security Center (ACSC) has issued a critical alert about a pair of dangerous vulnerabilities in Mitel’s MiCollab collaboration software suite.
“ASD’s ACSC is tracking multiple vulnerabilities in the Mitel MiCollab collaboration software. “The vulnerabilities identified are SQL Injection and Authentication Bypass/Path Traversal, which may allow access to sensitive content,” the critical alert said.
“We have assessed that there is significant exposure to the Mitel MiCollab vulnerabilities in Australia and that any exploitation would have a significant impact on Australian systems and networks.”
CVE-2024-35286 is a flaw in Mitel MiCollab’s NuPoint Messenger, present in versions up to 9.8.0.33. This vulnerability allows an unauthenticated attacker to launch a SQL injection attack because user input is not properly sanitized. This could lead to a malicious actor executing unauthorized commands and recovering sensitive data.
CVE-2024-41713 is a vulnerability in the NuPoint Unified Messaging component of Mitel MiCollab, present in versions up to 9.8 SP1 FP2 (9.8.1.201). This bug could allow a malicious actor to execute a path traversal attack, which could lead to that actor viewing, altering, or even deleting user data.
Mitel has issued its own advisories about the vulnerabilities and the ACSC recommends that Mitel MiCollab users ensure their versions are up to date, be alert for suspicious activity, and implement firewall policies that limit access to the MiCollab server.
“The ASD ACSC is monitoring the situation and can provide assistance and advice as needed,” the ACSC said.
“Organizations or individuals who have been affected or need help can contact us on 1300 CYBER1 (1300 292 371).”