Mitel has informed customers this week that patches are now available for a critical
vulnerability in its MiCollab platform. The flaw can be exploited remotely without requiring user authentication.
This security issue, which has not yet been assigned a CVE identifier, is described as a path traversal vulnerability within the NuPoint Unified Messaging (NPM) component of MiCollab.
The flaw affects MiCollab versions up to 9.8 SP2 (9.8.2.12). A fix has been included in version 9.8 SP3 (9.8.3.1) and newer. Versions starting from MiCollab 10.0.0.26 are not impacted.
MiCollab is a communication and collaboration platform that offers features such as voice, video, chat, web conferencing, and team-based collaboration tools.
According to Mitel, the vulnerability may allow attackers to access provisioning data without authentication. This includes non-sensitive user and network information, and it could also permit unauthorized administrative actions on the MiCollab server.
Dahmani Toumi, the researcher who discovered the vulnerability reported that attackers can exploit the issue remotely via the internet, particularly in MiCollab instances that are publicly accessible.
Using the Shodan search engine, Toumi identified over 20,000 internet-facing MiCollab installations, though the number of vulnerable systems among them remains uncertain.
In real-world conditions, exploiting this flaw could result in data leaks, service outages, or deeper system compromise, Toumi explained. He noted that Mitel issued a patch for this vulnerability in February 2025. He also pointed out that this issue is a bypass of a previous fix released for CVE-2024-41713, another similar vulnerability disclosed in late 2024.
Earlier this year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that CVE-2024-41713 had been actively exploited. That alert came alongside concerns about another MiCollab flaw, CVE-2024-55550.
Mitel products are frequently targeted by malicious actors. One recent example involves the Aquabot DDoS botnet, which was found exploiting a separate vulnerability in Mitel SIP phones.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
