CVE-2024-55550

What is Mitel MiCollab?

Mitel MiCollab is a unified communications platform providing voice, video, messaging, and collaboration services for enterprise environments. It integrates with phone systems, supports remote work connectivity, and handles internal communications for organizations in healthcare, government, education, and enterprise sectors. MiCollab servers process significant organizational communication data and are often accessible from the internet for remote worker connectivity — making them a target for threat actors seeking to intercept communications, steal credentials, or gain initial access to enterprise networks.

Overview

CVE-2024-55550 is a path traversal vulnerability in Mitel MiCollab that allows an authenticated attacker with administrative privileges to read arbitrary local files on the server. On its own, the low CVSS score (2.7) and admin authentication requirement make this appear minor. However, CVE-2024-55550 becomes critical when chained with CVE-2024-41713 — a separate unauthenticated path traversal in MiCollab's NuPoint Unified Messaging component (CVSS 9.1) that allows authentication bypass. Together, the chain enables unauthenticated, remote attackers to read arbitrary files on MiCollab servers, including configuration files containing credentials. Both vulnerabilities were discovered by watchTowr Labs and linked to ransomware exploitation activity.

Affected Versions

Technical Details

CWE-22 (Path Traversal). MiCollab's administrative interface contains an endpoint that accepts a file path parameter to read server-side content. Insufficient input validation fails to prevent directory traversal sequences (../), allowing the path to escape the intended directory and access arbitrary files on the underlying Linux filesystem. An admin-authenticated attacker can read system files such as /etc/passwd, application configuration files containing database credentials, TLS private keys, or other sensitive data stored on the MiCollab server.

The exploitation chain with CVE-2024-41713 works as follows:

1. CVE-2024-41713 (unauthenticated): A path traversal in the NuPoint Unified Messaging (NPM) component allows an unauthenticated attacker to access application URLs that should require authentication — effectively bypassing the authentication requirement
2. CVE-2024-55550 (auth required → bypassed by step 1): With authentication bypassed, the attacker can now invoke the path traversal to read arbitrary files

The combined chain achieves unauthenticated arbitrary file read — a critical severity exploit from two separately-scored medium and low vulnerabilities.

Discovery

Both CVE-2024-41713 and CVE-2024-55550 were discovered by watchTowr Labs, who published detailed technical research on December 5, 2024, after Mitel released patches. watchTowr's research demonstrated the full exploit chain and identified the critical impact of combining the two vulnerabilities. The KEV addition in January 2025 confirmed active exploitation, with ransomware actor involvement noted in CISA's catalog.

Exploitation Context

The ransomware connection (ransomwareUse: true in CISA's catalog) indicates that ransomware-affiliated actors incorporated the CVE-2024-41713 + CVE-2024-55550 chain into their initial access toolkit. MiCollab's role as an enterprise communication platform means a compromised server can yield credentials for internal systems, VoIP infrastructure configuration, directory service integration details, and potentially direct access to user communications — valuable both for data theft and as initial access for ransomware deployment.

The gap between patch (November 2024) and KEV addition (January 2025) is short — approximately six weeks — suggesting rapid exploitation after watchTowr's December technical publication made the attack details public.

Remediation

1. Upgrade Mitel MiCollab to version 9.8 SP2 (9.8.1326.101) or later immediately — both CVE-2024-55550 and CVE-2024-41713 are patched in this release.
2. Also ensure CVE-2024-41713 (NuPoint path traversal) is patched — the combination creates an unauthenticated exploit chain more severe than either vulnerability alone.
3. After patching, review MiCollab application and access logs for signs of exploitation — look for path traversal patterns (repeated ../ sequences) in HTTP access logs, unexpected file access patterns, or authentication anomalies.
4. Restrict MiCollab administrative interface access to trusted management networks — the admin-auth requirement for CVE-2024-55550 alone provides some protection if admin access is properly controlled.
5. Rotate credentials stored in MiCollab configuration files if exploitation cannot be ruled out — database passwords, integration credentials, and service account passwords may have been exposed.
6. Consider placing MiCollab behind a VPN or restricting external access if remote worker connectivity allows, to reduce the internet-facing attack surface.