Mitel MiCollab keeps shipping the same path-traversal bug class

On December 5, 2024, watchTowr Labs published a chained proof-of-concept against Mitel MiCollab that read /etc/passwd off an internet-facing UC server with no authentication. watchTowr had reported the chain to Mitel on May 29, 2024. Mitel shipped 9.8.2.12 on October 9, 2024, patching CVE-2024-41713 only. By the time watchTowr published on December 5, more than six months after the initial report and well past the 90-day disclosure window, the second half of the chain, CVE-2024-55550, was still a 0-day. watchTowr ran the clock out and shipped the script.

The chain is two bugs that look unimpressive on their own and devastating together. CVE-2024-41713 is a path-normalization bypass in the NuPoint Unified Messaging (NPM) front-end, where a ..;/ segment, the semicolon-prefixed parent-directory token Tomcat treats as a path parameter rather than a traversal, lets an unauthenticated request escape the npm-pwg jail and reach sibling WAR contexts that are normally gated behind admin auth: npm-admin, axis2-AWC, portal, and ReconcileWizard. The canonical PoC is one line:

GET /npm-pwg/..;/npm-admin/ HTTP/1.1

CVE-2024-55550 is the second half. It lives in the ReconcileWizard servlet, which accepts a reportName-style parameter inside an XML transaction blob and concatenates it into a filesystem path with no canonicalization. By itself it requires an admin session and reads files. NVD scores it 2.7 Low for that reason. Chained with 41713, the auth requirement evaporates and the realistic severity is the chain’s, not the second half’s. CISA-ADP rescored it 4.4 Medium with confidentiality high, which is closer to honest, though still not what unauthenticated arbitrary file read on an internet-exposed UC box actually deserves.

NVD scores CVE-2024-41713 at 9.1 Critical. Mitel’s MISA-2024-0029 advisory says 9.8 without publishing the vector. Mitel did not show their work.

What the exposure looks like

CISA added both CVEs to KEV on January 7, 2025 with a January 28 federal due date. KEV addition requires reliable evidence of active abuse, so somebody got hit. Beyond that, the in-the-wild record is thin. No IR firm has named a victim. No attribution to a specific crew has been published. The local KEV snapshot used by this site lists knownRansomwareCampaignUse: "Known" for both entries; security press at listing time (SecurityWeek, Help Net Security, Qualys) reported the field as Unknown. The discrepancy is unresolved and I am not going to invent a ransomware crew to fill the gap. Treat it as exploited, treat the ransomware tie as unconfirmed.

The exposure numbers do not line up either. watchTowr cited “over 16,000 instances across the Internet.” Censys, in their December 17, 2024 advisory, counted 8,899, with about 54% in the United States. Censys flagged the discrepancy without reconciling it. The defensible range is 8,900 to 16,000 internet-exposed MiCollab boxes. Whichever number is right, the public PoC has been sitting in watchtowrlabs/Mitel-MiCollab-Auth-Bypass_CVE-2024-41713 since December 5, 2024. Any unauthenticated ..;/ request returning a 200 is evidence of exploitation, not scanning.

NHS England Digital issued cyber alert CC-4588 telling UK health-sector operators to patch. They did not name victims either. The pattern is the usual one: KEV says it is happening, the vendor advisory describes the bug as if no one has used it yet, and the press fills the rest with adjectives.

This is not the first time

The Mitel UC stack has been bleeding the same way for years. The bug class is consistent enough to chart:

• CVE-2022-29499 in MiVoice Connect Service Appliance. Unauth RCE via a data-validation flaw in a service that PHP-formatted attacker input and shoved it into a shell command. CVSS 9.8. Lorenz ransomware operators used it for initial access in mid-2022, sat on the foothold for nearly a month before pivoting with Chisel and dropping ransomware. Rapid7 and Arctic Wolf documented the chain.
• CVE-2023-31457 in MiVoice Connect’s Windows DVS server. Unauth RCE.
• CVE-2024-35286 in MiCollab’s NPM component, disclosed by watchTowr in May 2024. Pre-auth SQL injection. Same product, same servlet family that 41713 later hit through a different door.
• CVE-2024-41713 in NPM via ..;/ smuggling.
• CVE-2024-55550 in ReconcileWizard. The chain partner.
• 2023 issues in MiCollab’s AWV component and web-conferencing surface. SQLi in both.

The class signature does not change. Legacy Java and servlet components, NPM and ReconcileWizard and AWV and Service Appliance, accepting unauthenticated input and feeding it into SQL strings, file paths, or shell-adjacent contexts with thin or absent validation. This is not bug-class diversity. It is the same shape of bug surfacing in different servlets, year after year, on the same product line. Whatever secure-development discipline Mitel has applied elsewhere in the codebase has not been applied uniformly to the UC front-ends that customers expose to the internet.

Why it keeps happening

The codebase explanation is straightforward enough: Mitel’s UC stack was built on a generation of Java servlet containers where path normalization and input handling were hand-rolled per component, and refactoring that surface costs more than fixing each CVE individually. The classic short-term-rational, long-term-bleeding tradeoff. Each advisory closes one door without rebuilding the hallway.

The harder explanation is operational. MiCollab is on-prem unified communications. Customers self-patch, and voice infrastructure is the most upgrade-averse tier in any enterprise I have ever seen. A MiCollab upgrade is not a Tuesday-night reboot. It is a multi-week change-window project with PBX integrations to regression-test, SIP trunks that throw fits when the dial plan re-parses, call-recording integrations that depend on specific service account behavior, voicemail-to-AD plumbing, federated presence, and an approval queue that runs through the people who own the phone bill. Operators run last year’s MiCollab not because they are negligent but because the upgrade calendar has a handful of slots a year and the phone system loses to the EHR every time.

Mitel knows this. Attackers know it better. Shipping a fix that most of the install base will not deploy for many months is functionally similar to shipping no fix at all, except the patch diff is now public for anyone willing to read it. watchTowr did read it, and they did not even need to: when watchTowr’s 90-day window expired, Mitel had patched CVE-2024-41713 but had not shipped a fix for CVE-2024-55550, the second half of the chain.

What to actually do

Patches first.

• CVE-2024-41713 is fixed in MiCollab 9.8 SP2 (9.8.2.12). Anything at or below 9.8 SP1 FP2 (9.8.1.201) is exploitable pre-auth.
• CVE-2024-55550 is described by Mitel as “substantially mitigated” in 9.8.2.12, with a full fix planned for a later release. That language is not a clean patch. Treat 9.8.2.12 as the floor, not the ceiling, and confirm with Mitel support whether a follow-up is available before declaring the host done. KB000116041 covers an interim backport for 6.0+ deployments that cannot jump to 9.8.

If you cannot patch this week, the chain dies on a single front-end rule. Mitel’s own advisory does not recommend one, but the watchTowr writeup makes the primitive clear: reject any request whose URI contains ..;/, and especially /npm-pwg/..;/, at the reverse proxy. If NPM is not in use, take /npm-pwg/ and /npm-admin/ off the public vhost entirely. The MiCollab admin surfaces should not be reachable from the open internet under any deployment model. VPN-or-bust is the right posture and probably should have been the deployment guide from day one.

For hunting, the URI patterns are specific enough to grep:

• /npm-pwg/..;/npm-admin/ — the auth-bypass landing.
• /npm-pwg/..;/npm-admin/login.do with subAction=basicLogin and SQLi tells like pg_sleep — CVE-2024-35286 territory, still relevant on un-patched hosts.
• /npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall?isc_rpc=1 — the file-read endpoint.
• POST bodies containing <reportName> with ../ sequences inside a _transaction XML payload.

The PoC has been public since December 5, 2024. Pull at least 90 days of access logs and look for any 200 response on a URI containing ..;/. There is no benign reason for that pattern to succeed against a MiCollab host.

The KEV deadline of January 28, 2025 is binding for FCEB agencies under BOD 22-01 and is not legally binding for anyone else. It is, however, the clearest “actively exploited, patch now” signal CISA issues, and cyber insurers are increasingly reading KEV entries as a standard-of-care benchmark. Treat it as one whether or not you report to CISA.

The story Mitel’s advisories tell is that each of these CVEs is a discrete bug that has been fixed. The story the codebase tells is that the same servlet family, NPM and ReconcileWizard and AWV and Service Appliance, has been producing the same shape of failure since 2022, and the people running that codebase at the network edge cannot upgrade fast enough to outrun it. PatchDay Alert tracks KEV additions the day they land, which in cases like this one tends to be the first reliable signal that a vendor advisory was downplaying the urgency. The chain is not the problem. The chain is what the next chain will look like.