A series of zero-day bugs allow attackers to gain access to sensitive files within Mitel MiCollab. A patch is now available for some of the vulnerabilities.

Mitel’s collaboration tool MiCollab is vulnerable to three zero-day bugs. Attackers can combine these to gain access to sensitive files. WatchTowr researchers discovered the problem and are now publishing the details. A full patch is not yet available, but researchers have waited 100 days to make the bug public, as is normal and responsible practice.

Two beetles are really dangerous. The first CVE-2024-35286 has a score of 9.8 and is a SQL injection vulnerability. The second, CVE-2024-41713, allows attackers to bypass authentication. Then there is a third error without a CVE number. This allows an attacker to read data, but requires authentication.

(Partially) patched

Mitel is already providing a patch for the CVE-2024-41713 bug. This has been fixed in MiCollab version MiCollab 9.8 SP2 (9.8.2.12). The other leak has also been closed since May. According to Mitel, this removes the urgency as the authentication flaw is essential to carrying out an external attack. The company does not consider the remaining error to be critical. Details about the plans for a patch are not yet known.

In any case, it is important to ensure that MiCollab is up to date so that at least the two most critical vulnerabilities are fixed.