Mitel this week informed customers about the availability of patches for a critical MiCollab vulnerability that can be exploited remotely and without authentication.
The flaw, which currently does not appear to have a CVE identifier, has been described as a path traversal issue affecting MiCollab’s NuPoint Unified Messaging (NPM) component.
MiCollab 9.8 SP2 (9.8.2.12) and earlier are impacted, and a patch is included in versions 9.8 SP3 (9.8.3.1) and later. MiCollab 10.0.0.26 and later versions are not affected.
Mitel MiCollab is a communications and collaboration platform that provides users with tools for voice, video, chat, web conferencing, and team collaboration.
The vulnerability, according to Mitel, can allow an attacker to “gain unauthenticated access to provisioning information including non-sensitive user and network information and perform unauthorized administrative actions on the MiCollab Server”.
Dahmani Toumi, the researcher credited for discovering the vulnerability, told SecurityWeek that the flaw can be exploited remotely over the internet against MiCollab instances that are exposed to the web.
Toumi said he identified more than 20,000 internet-exposed instances using the Shodan search engine. It’s unclear exactly how many of them may be vulnerable to attacks.
According to the researcher, exploitation of the vulnerability in a real-world environment could lead to data exposure, service disruptions, or further compromise of the targeted organization’s systems.
The researcher clarified that Mitel released a patch for the vulnerability in February 2025. He also pointed out that this vulnerability is actually a bypass of the patch for CVE-2024-41713, a similar security hole disclosed in the fall of 2024.
The cybersecurity agency CISA warned in early 2025 that CVE-2024-41713 had been exploited in the wild, along with another MiCollab vulnerability tracked as CVE-2024-55550.
It’s not uncommon for threat actors to target Mitel products in their attacks. For instance, the Aquabot DDoS botnet was recently observed exploiting a vulnerability in Mitel SIP phones.
Related: PoC Exploit Published for Unpatched Mitel MiCollab Vulnerability
Related: CISA Warns of Two Mitel Vulnerabilities Exploited in Wild
