CVE-2024-41713

What is Mitel MiCollab?

Mitel MiCollab is a widely deployed enterprise unified communications platform combining voice, video, messaging, and collaboration features. It is used by businesses and organizations for internal communications, integrating with PBX phone systems and providing web-based and mobile access to communications. MiCollab's web interface exposes REST API endpoints for management and messaging functions — making any authentication bypass in these APIs a high-impact vulnerability. Mitel products are commonly found in enterprise, healthcare, and government environments.

Overview

CVE-2024-41713 is a path traversal vulnerability (CWE-22) in Mitel MiCollab's NuPoint Unified Messaging (NPE) REST API component. An unauthenticated attacker can craft a URL with path traversal sequences that bypass the API's authentication check, accessing administrative endpoints without credentials. This vulnerability was discovered by watchTowr Labs and documented in detail in December 2024, where they also demonstrated chaining it with CVE-2024-55550 (an authenticated arbitrary file read in MiCollab's Chat Service) — the CVE-2024-41713 authentication bypass eliminates the authentication requirement, making CVE-2024-55550 exploitable without any credentials. The combined chain achieves unauthenticated arbitrary file read of any file on the MiCollab server. CISA added it to KEV on January 7, 2025, confirming active exploitation including by ransomware actors.

Affected Versions

Technical Details

The path traversal (CWE-22) is in the NuPoint Unified Messaging REST API endpoint, accessible via the MiCollab web interface. The API performs authentication checks based on the URL path structure. By inserting .. path traversal sequences into the request URL, an attacker can cause the authentication check to be bypassed — the path normalization logic resolves the traversal sequences after the authentication decision is made, allowing access to authenticated API endpoints without credentials.

Attack chain with CVE-2024-55550:

1. CVE-2024-41713 (path traversal auth bypass): Attacker accesses an authenticated REST API endpoint without credentials by using a traversal URL
2. CVE-2024-55550 (arbitrary file read): Via the now-accessible authenticated endpoint, the attacker reads arbitrary files from the server filesystem

The combined result is unauthenticated arbitrary file read — enabling extraction of:

• MiCollab configuration files containing database credentials
• SSH private keys and TLS certificates
• Operating system files including /etc/passwd and /etc/shadow
• Application secrets that could enable further compromise

Discovery

watchTowr Labs (Benjamin Harris and team), published December 5, 2024. watchTowr identified both CVE-2024-41713 and the chaining technique with CVE-2024-55550 in the same research.

Exploitation Context

CISA confirmed active exploitation and added CVE-2024-41713 to the KEV catalog on January 7, 2025, with a three-week remediation deadline. The ransomwareUse: true flag indicates ransomware operators exploited the vulnerability — the arbitrary file read capability enables credential theft that facilitates lateral movement and ransomware deployment. The combination of wide enterprise deployment, no-auth requirement, and a published watchTowr PoC made this a high-value target for ransomware groups in the weeks following public disclosure.

Remediation

1. Upgrade Mitel MiCollab to 9.8 SP2 (9.8.2) or later immediately. The CISA deadline was January 28, 2025.
2. Apply patches for both CVE-2024-41713 and CVE-2024-55550 — both must be addressed; fixing only one leaves the chain partially viable.
3. Restrict network access to the MiCollab web interface — limit access to known corporate IP ranges and VPN clients; the NuPoint REST API should not be internet-exposed if avoidable.
4. Audit MiCollab access logs for path traversal patterns (../ sequences) in API request URLs from the exposure period.
5. Rotate credentials stored in MiCollab configuration files if exploitation is suspected — database passwords, certificates, and API keys may have been exfiltrated.