Editorial coverage · CVE-2024-41713
The advisory clock and the change-window calendar.
Mitel shipped MiCollab 9.8 SP2 on October 9, 2024, fixing the path-traversal bypass that anchors the NPM/ReconcileWizard chain. watchTowr published a working unauth exploit on December 5 with the second half of the chain still a 0-day. CISA added both CVEs to KEV on January 7 with a January 28 due date. Unified communications is the tier of the enterprise that cannot patch on those calendars, and the advisories do not model that.
What we say
The disclosure clock and the change-window calendar do not run at the same speed.
watchTowr reported the chain to Mitel on May 29, 2024. Mitel shipped MiCollab 9.8 SP2 on October 9, 2024, patching CVE-2024-41713 only — the path-normalization bypass that opens the door. The chain partner, CVE-2024-55550 in the ReconcileWizard servlet, was still a 0-day on December 5, 2024, when watchTowr’s 90-day window ran out and they published the working exploit. CISA added both CVEs to KEV on January 7, 2025 with a federal due date of January 28. From the moment the public PoC landed to the moment a FCEB operator was supposed to have patched, eight weeks.
Eight weeks is not a MiCollab change window. A MiCollab upgrade is not a Tuesday-night reboot. The platform sits underneath PBX integrations that have to be regression-tested, SIP trunks that throw fits when the dial plan re-parses, call-recording integrations that depend on specific service-account behavior, voicemail-to-AD plumbing that has to be re-validated against the directory, federated presence, and an approval queue that runs through the people who own the phone bill. The realistic patch cycle for the product is measured in months, not weeks, and a non-trivial fraction of the install base will pace a MiCollab upgrade against the same change calendar that schedules the EHR. The phone system loses to the EHR every time.
This is not a Mitel-specific framing. It is a structural feature of unified communications as a product tier: customer-deployed, deeply integrated, expensive to regress, and as a result the slowest patch cadence in the enterprise outside industrial controls. KEV deadlines are written against a cadence that tier does not deliver on. The 21-day BOD 22-01 clock and the 30-day PCI 6.3.3 clock both assume the operator can apply the fix on the timeline the advisory implies. For a MiCollab front-end the assumption does not hold, and the gap between the assumption and the operating reality is where the in-the-wild exploitation lives.
The narrow remediation is the one Mitel’s advisory describes — apply
9.8 SP2 (9.8.2.12), treat 55550’s “substantially mitigated” status as
a floor not a ceiling, and confirm with support before declaring a
host done. The interim control that closes the chain without a full
upgrade is documented in the long-form blog post: a reverse-proxy rule
rejecting any URI containing ..;/, plus removing the /npm-pwg/ and
/npm-admin/ paths from the public vhost if NPM is not in active use.
The MiCollab admin surfaces should not be reachable from the open
internet under any deployment model. Censys counted roughly 8,900
exposed instances on December 17, 2024; watchTowr cited 16,000. The
defensible range is wide enough that “MiCollab is not internet-facing”
is not a safe assumption about anyone else’s network.
The wider lesson is for the advisory authors. CISA, NVD, and the researcher community write KEV due dates and disclosure deadlines against a generic operator who can apply a fix within weeks. The operator who cannot is not negligent — they are running a product tier where the upgrade calendar is structurally different from the patch clock the advisory runs on. Until the advisory ecosystem models that gap, the in-the-wild record on UC, OT, and other slow-cadence tiers will keep telling the same story.
What NVD says
CWE-22 — improper limitation of a pathname to a restricted directory (path traversal). CVSS 3.1 base 9.1 Critical, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. Unauthenticated path-normalization bypass in the NuPoint Unified Messaging front-end of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201); a `..;/` segment, the semicolon-prefixed parent-directory token Tomcat treats as a path parameter rather than a traversal, lets an unauthenticated request reach sibling WAR contexts that are normally gated by admin authentication. NVD names the bug and the affected versions. The record carries no field for operator deployment cadence on the product class — whether the install base can realistically apply the fix on the timeline KEV implies after the disclosure-and-PoC sequence runs its course.
What the vendor says
Mitel's MISA-2024-0029 advisory rates CVE-2024-41713 at 9.8 Critical without publishing the CVSS vector — NVD scored it 9.1 with the vector visible. Fixed in MiCollab 9.8 SP2 (9.8.2.12), released October 9, 2024 after a May 29 report from watchTowr. The chain partner, CVE-2024-55550 in the ReconcileWizard servlet, was not patched in that release; Mitel describes it as 'substantially mitigated' in 9.8.2.12 with a full fix planned for a later version, and KB000116041 covers an interim backport for 6.0+ deployments. The advisory describes the bug and the remediation. It does not address the gap between the disclosure clock the advisory runs on and the change-window calendar UC operators run on.
Compliance impact
- PCI DSS
- Requirement 6.3.3 of PCI DSS v4.0 requires that critical security patches be installed within one month of release. MiCollab is not in the cardholder data environment for most operators, but the realistic on-prem patch cycle for a UC platform with PBX integrations, SIP trunks, and call-recording dependencies routinely runs two to six months — well outside the 6.3.3 window for any deployment that does end up in CDE scope (contact-center call recording for payment IVR, voicemail integrations for cardholder support workflows). QSAs reading 6.3.3 against a UC change-window calendar will not accept 'the phone system loses to the EHR every time' as a compensating control.
- HIPAA
- Covered entities and business associates running MiCollab in clinical workflows — voicemail-to-clinician routing, on-call paging, intra-shift messaging tied to AD identity — sit under the Security Rule's risk-analysis and risk-management obligations. An internet-reachable MiCollab front-end with a known unauthenticated file-read primitive is a finding the auditor will note; the Breach Notification Rule four-factor analysis cannot stop at 'we are scheduled to patch in our next change window' when a public PoC has been live for the duration of that window. The risk-management decision is whether the appliance belongs on the open internet at all, which the long-form blog post argues it does not.
Sources
- NVD — CVE-2024-41713
- NVD — CVE-2024-55550 (chain partner)
- Mitel MISA-2024-0029 product security advisory
- watchTowr Labs — Where there's smoke, there's fire (Mitel MiCollab)
- watchTowr GitHub — Mitel-MiCollab-Auth-Bypass_CVE-2024-41713 PoC
- Censys advisory — CVE-2024-35286 and exposed MiCollab instances
- CISA Known Exploited Vulnerabilities Catalog
Every source on this list has been read by the editorial team. We do not cite something we have not opened.
Deeper read
Coverage in PatchDay Alert
One email, every weekday morning.
You're in. Check your inbox.