CVE-2024-41710

What are Mitel SIP Phones?

Mitel's 6800 Series, 6900 Series, and 6900w Series are IP/SIP desk phones used in enterprise, government, and healthcare unified communications deployments. The 6970 Conference Unit is a conference room speakerphone in the same product family. These phones run embedded Linux-based firmware, connect to IP PBX or cloud telephony platforms via SIP, and expose a web-based administration interface for configuration and management. Because they are network-connected devices managed via IP and often provisioned with centralized configuration servers, they can be accessible to attackers on the corporate network or in some cases from the internet.

Overview

CVE-2024-41710 is an argument injection vulnerability in the Mitel 6800/6900/6900w Series SIP phones and 6970 Conference Unit, exploitable during the device boot process. An attacker with admin-level access to the phone's management interface can inject additional arguments into parameters processed during boot, causing the device to execute arbitrary commands within the system context. Mitel published the security bulletin and patches in August 2024; CISA added the vulnerability to the KEV catalog in February 2025, indicating confirmed active exploitation six months after patch availability.

Affected Versions

Refer to the Mitel security bulletin for specific firmware version details.

Technical Details

CWE-88 (Improper Neutralization of Argument Delimiters in a Command / Argument Injection). During the boot process, the phone firmware processes configuration parameters that are passed to system commands. The argument injection vulnerability arises because user-controlled input (accessible via the admin management interface) is incorporated into command arguments without adequate sanitization of argument delimiters. An attacker with admin access can craft parameter values containing additional arguments that alter the behavior of the executed command — for example, appending --exec=<command> or using shell word splitting to introduce additional positional arguments that trigger code execution.

Because the injection occurs during the boot process — when the system is initializing with elevated privileges — the resulting code execution occurs with system-level context on the embedded Linux firmware.

Discovery

Reported to Mitel, which published security bulletin 24-0019-001 with patched firmware in August 2024. The six-month gap to CISA KEV addition (February 2025) indicates exploitation was detected in the wild after an extended period of unpatched devices in enterprise deployments.

Exploitation Context

IP phone infrastructure is increasingly targeted by threat actors who recognize that phone systems are often overlooked in patch management cycles — updated less frequently than servers and workstations. A compromised IP phone with system-level access can be used for: eavesdropping on phone calls, network reconnaissance from inside the corporate LAN, lateral movement to other devices on the phone VLAN, and persistent access via devices that are rarely rebooted or reimaged. Unified communications infrastructure increasingly merges with IT networks, expanding the attack surface of traditionally separate telephony systems.

Remediation

1. Apply the firmware update from Mitel security bulletin 24-0019-001 to all affected 6800, 6900, 6900w, and 6970 devices.
2. Restrict access to the phone admin management interface to authorized provisioning systems only — admin access should not be accessible from general user workstations.
3. Segment phone infrastructure on a dedicated VLAN with restricted routing to production networks.
4. Change all phone admin passwords from defaults and ensure credentials are not reused across devices.
5. Include IP phones and other unified communications devices in your organization's vulnerability management and patch cadence program.