Mitel collaboration software zero-day strings along a previously patched vulnerability

News
By
published

While investigating a known flaw, researchers stumble upon an unknown one

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • Security pros from watchTowr found a new bug in Mitel MiCollab
  • Mitel has not yet released a patch
  • WatchTowr suggested a number of mitigations to minimize risk

A zero-day vulnerability, allowing crooks to read files they shouldn’t be allowed to read, is still sitting in Mitel MiCollab three months after being reported.

This is according to a new report from cybersecurity researchers watchTowr, who claim to have found and reported the flaw in late August this year.

Mitel MiCollab is a unified communications and collaboration solution designed to enhance teamwork and productivity by integrating messaging, voice, video, and conferencing tools into a single platform.

Immediate effect

The researchers at watchTowr were looking into a different vulnerability when they discovered a flaw that allows threat actors to access sensitive information about the accounts on a system. They reached out to Mitel, who acknowledged the findings and set a deadline for the patch for the first week of December, this year.

“At the time of publishing, there has been no update on the Mitel Security Advisory page." watchTowr said in a recent report. The researchers also released a proof-of-concept, describing how the flaw might be exploited.

Communication and collaboration platforms are often targeted by cybercriminals, as they usually contain sensitive information such as contracts, payment information, employee and customer data, and more. Criminals can use that information to pressure the victims into paying a ransom, or to mount phishing attacks that can result in the deployment of ransomware and other malware.

To make matters worse, BleepingComputer claims that MiCollab was targeted in the past as well, suggesting that it is only a matter of time before this new zero-day gets exploited, especially with a proof-of-concept already available.

Since the patch is not yet released, users are advised to limit access to the MiCollab server, implement stringent firewall rules, monitor logs for suspicious activity, and disable (or restrict) access to the ReconcileWIzard servlet, if possible.

“Our top priority is to ensure the reliability and security of the solutions we offer our customers," Mitel told TechRadar Pro in a statement. "We recently became aware of vulnerabilities relating to MiCollab and have published recommended actions, including software updates, to mitigate risks. We strongly encourage customers to apply all available security updates as they become available.”

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Representational image depecting cybersecurity protection
CISA says Oracle and Mitel have critical security flaws being exploited
Digital image of a lock.
Fortinet flags some worrying security bugs coming back from the dead
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
vpn
Ivanti warns another critical security flaw is being attacked
Apple's new "Share Item Location" feature for AirTags.
Apple security alert - zero-day patched, so update your devices now
Latest in Security
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A pair of hands using a keyboard
Microsoft SharePoint hijacked to spread Havoc malware
Microsoft
Microsoft names cybercriminals who created explicit deepfakes
Latest in News
Apple iPad A16
Apple's new entry-level iPad ups the performance for the same price, but doesn't support Apple Intelligence
iPad Air M3
Apple updates iPad Air with powerful M3 chip and pairs it with Pro-level Magic Keyboard
Samsung Galaxy Z Flip 6 in blue
The Samsung Galaxy Z Flip 7 might improve on its predecessor in one crucial way
Nvidia RTX 5070 Founders Edition GPU shown against a green and black backdrop
Nvidia RTX 5070 early pricing hints at plenty of GPUs at the MSRP – but I’ll believe it when I see it
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Guitar Hero Mobile
Activision shares first look at Guitar Hero Mobile and, yeah, it looks like AI slop
More about security
Illustration of a hooked email hovering over a mobile phone

AWS misconfigurations reportedly used to launch phishing attacks
A pair of hands using a keyboard

Microsoft SharePoint hijacked to spread Havoc malware
Hands typing on a keyboard surrounded by security icons

Your passwords aren't the key to protecting your online identity, your email address is
See more latest