Critical Vulnerability Exposes Many Mitel MiCollab Instances to Remote Hacking

Mitel this week informed customers about the availability of patches for a critical MiCollab vulnerability that can be exploited remotely and without authentication.

The flaw, which currently does not appear to have a CVE identifier, has been described as a path traversal issue affecting MiCollab’s NuPoint Unified Messaging (NPM) component.

MiCollab 9.8 SP2 (9.8.2.12) and earlier are impacted, and a patch is included in versions 9.8 SP3 (9.8.3.1) and later. MiCollab 10.0.0.26 and later versions are not affected.

Mitel MiCollab is a communications and collaboration platform that provides users with tools for voice, video, chat, web conferencing, and team collaboration.

The vulnerability, according to Mitel, can allow an attacker to “gain unauthenticated access to provisioning information including non-sensitive user and network information and perform unauthorized administrative actions on the MiCollab Server”.

Dahmani Toumi, the researcher credited for discovering ...