Chained for maximum impact
One of the Mitel flaws, tracked as CVE-2024-41713, is a critical (CVSS 9.8/10) path traversal vulnerability in the NuPoint Unified Messaging component of Mitel MiCollab that could allow an unauthenticated attacker to exploit a lack of sufficient input validation to gain unauthorized access and view, corrupt or delete user data and system configurations.
The other flaw, tracked as CVE-2024-55550 and rated moderately severe (CVSS 4.4/10), is another path traversal vulnerability that could allow authenticated attackers read admin level files on local system due to insufficient input sanitization. The flaw, however, does not allow file modification or privilege escalation, Mitel had said in an October 2024 disclosure.
While technical details of the exploitation were not disclosed in the CISA update, it is important to note that these vulnerabilities could be chained together to allow remote attackers to read sensitive system files.
