Security researchers have revealed a zero-day vulnerability in Mitel's MiCollab enterprise collaboration platform, along with a proof-of-concept exploit that could expose sensitive organizational data.
The newly discovered flaw, which currently lacks a CVE identifier, allows authenticated attackers to read sensitive files from affected systems. When combined with the recently patched CVE-2024-41713 authentication bypass vulnerability, attackers can potentially access critical files like /etc/passwd without authentication.
WatchTowr Labs researcher Sonny Macdonald disclosed these findings after initially investigating an earlier SQL injection vulnerability (CVE-2024-35286) in the platform. The research team discovered that over 16,000 MiCollab instances are currently exposed across the internet.
MiCollab serves as a comprehensive collaboration suite that integrates various communication tools including voice, video, messaging, and file sharing capabilities for enterprises. The platform's broad functionality makes it an attractive target for attackers seeking to compromise business communications.
While Mitel has already patched CVE-2024-41713 in MiCollab version 9.8 SP2 (9.8.2.12) and later releases, the company stated they plan to address the zero-day file read vulnerability in early December 2024.
Organizations using MiCollab can protect themselves by:
- Upgrading to version 9.8 SP2 or later
- Restricting server access to trusted IP ranges
- Limiting exposure to internal networks only
- Monitoring for suspicious activity
- Applying the upcoming patch when available
The researchers chose to publicly disclose the vulnerability after reporting it to Mitel over three months ago. This disclosure highlights ongoing security challenges in enterprise communication platforms that handle sensitive business data.