Editorial coverage · CVE-2024-55550
'Substantially mitigated' is a third state your scanner does not have.
The ReconcileWizard servlet half of the watchTowr MiCollab chain. NVD scored it 2.7 Low because the bug in isolation needs an admin session. The chain with CVE-2024-41713 makes the auth requirement disappear. Mitel shipped 9.8 SP2 calling the fix 'substantially mitigated,' with a full fix planned for a later release. The advisory's own language admits the patch is partial. The scanner output, the audit form, and the KEV catalog have no field for partial.
What we say
Most vendor advisories ship in a binary: patched or not. Apply the update, the scanner flips green, the audit row clears, the change ticket closes. The whole tooling chain — scanners, SBOMs, KEV trackers, audit spreadsheets — is built on that binary.
Mitel’s MISA-2024-0029 advisory ships in a third state. The CVE-2024-55550 fix in 9.8 SP2 is described as “substantially mitigated,” with a full fix planned for a later release. KB000116041 carries an interim backport for 6.0+ deployments that cannot jump to 9.8. That language is, on the honesty axis, ahead of most advisories. It admits in the document what the document otherwise asks the operator to take on faith. It is also, on the operational axis, an unresolved instruction. The advisory does not say what the partial fix leaves on the table, what input shapes still land in the unsafe path, what logging would detect the residual primitive, or when the follow-up release ships. The operator gets the admission and not the information to act on it.
CISA added CVE-2024-55550 to the KEV catalog on January 7, 2025 alongside its chain partner CVE-2024-41713, with a federal due date of January 28. KEV does not have a “substantially mitigated” column either. The catalog’s affected-products field carries Mitel MiCollab versions through 9.8 SP1 FP2 (9.8.1.201) as vulnerable. A host running 9.8.2.12 reads as out of scope. By the vendor’s own language, that reading is partial. The KEV remediation deadline is a binary checkbox against a CVE the vendor treats as one-and-a-half-binary, and an FCEB operator who patches to 9.8.2.12 and stops has cleared the BOD 22-01 deadline but has not cleared what the vendor said to clear.
The standalone severity discussion compounds the problem. NVD’s 2.7 Low
score reads the bug as an authenticated file read because that is what
the bug is in isolation. CISA-ADP’s 4.4 Medium rescore reads the same bug
with confidentiality high. Both are correct about the bug. Neither models
the chain. CVE-2024-41713 is the front door — a ..;/ path-normalization
bypass in the NPM front-end that reaches sibling WAR contexts including
ReconcileWizard without authentication. CVE-2024-55550 is the second
turn, the actual file-read primitive. Chained, the realistic severity is
the chain’s, and the chain is critical. The KEV listing names them
together for that reason. The scoring infrastructure does not.
The narrow remediation question — what should an operator on 9.8.2.12 do
about 55550 — has two answers and the advisory only gives one. The vendor
answer is to confirm with Mitel support whether the follow-up release or
the KB000116041 backport is available for the deployment, and apply it
when it is. The operator answer, the one watchTowr’s writeup makes
explicit and the vendor’s advisory does not, is the reverse-proxy rule
that closes the chain at the front door: reject any URI containing
..;/, especially /npm-pwg/..;/. The chain dies on that single rule
regardless of which side of the partial-fix line 55550 lives on. If NPM
is not in active use, the better posture is to take /npm-pwg/ and
/npm-admin/ off the public vhost entirely. The MiCollab admin surfaces
should not be reachable from the open internet under any deployment
model.
The wider lesson is for advisory authors and the tooling that reads them. The honesty of “substantially mitigated” is a step forward. The operational ambiguity it creates is a step the ecosystem has not built the road for. The auditor reading the advisory and the scanner reading the version string end up looking at the same host and reading different states. Until vendor advisories either commit to a binary fix or define what their hedged language means in operator-actionable terms, the gap will keep showing up where the audit lands.
What NVD says
CWE-22 — improper limitation of a pathname to a restricted directory. NVD CVSS 3.1 base 2.7 Low, vector AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N. The reasoning is correct in isolation: the ReconcileWizard servlet accepts a report-name parameter inside an XML transaction blob and concatenates it into a filesystem path with no canonicalization, but the endpoint requires an authenticated admin session and the primitive is file read only. CISA-ADP rescored to 4.4 Medium with confidentiality high, which is closer to the bug's standalone impact on a host where an attacker has already taken over an admin account. Neither score models the chain. Combined with CVE-2024-41713's `..;/` path-normalization bypass in the NPM front-end, the admin-session prerequisite evaporates and the realistic severity is the chain's, not the second half's. NVD has no field for 'effective severity when chained with the partner CVE on the same KEV listing.'
What the vendor says
MISA-2024-0029 lists CVE-2024-55550 as fixed in MiCollab 9.8 SP2 (9.8.2.12), released October 9, 2024, alongside the CVE-2024-41713 fix. The advisory hedges: the language describes 55550 as 'substantially mitigated' in 9.8.2.12 with a full fix planned for a later release, and KB000116041 carries an interim backport for 6.0+ deployments that cannot jump to 9.8. The vendor advisory is unusually honest about the gap between mitigation and fix. It is also unusually silent on what an operator does with that honesty. The advisory does not name the conditions under which 'substantially mitigated' becomes 'unmitigated' — what input shapes survive, which logging changes detect them, when the follow-up release ships, or how the support ticket conversation should run.
Compliance impact
- PCI DSS
- Requirement 6.3.3 of PCI DSS v4.0 requires critical security patches be installed within one month of release. The assessor's question on a host scanned as fixed against CVE-2024-55550 in 9.8.2.12 is not 'are you patched.' It is 'do you understand what your vendor means by substantially mitigated, and did you act on that understanding.' The QSA reading the advisory verbatim will treat the partial-fix language as a finding the operator either accepted with a documented compensating control or remediated to the follow-up release. 'Our scanner says fixed' is not an answer to a vendor advisory that explicitly says otherwise.
- HIPAA
- The Security Rule's risk-analysis and risk-management obligations turn on what the covered entity reasonably knew. A vendor advisory that uses the phrase 'substantially mitigated' is documented knowledge that the patch is incomplete. The 164.308(a)(1)(ii)(B) risk-management decision on a MiCollab host running 9.8.2.12 cannot stop at 'we applied the patch.' It has to record what was known about the partial fix, whether the operator escalated to Mitel support for the KB000116041 backport or follow-up release, and what compensating control closed the residual surface in the interim — typically the reverse-proxy rule that rejects `..;/` requests and removes the chain entry point.
Sources
- NVD — CVE-2024-55550
- NVD — CVE-2024-41713 (chain partner)
- Mitel MISA-2024-0029 product security advisory
- watchTowr Labs — Where there's smoke, there's fire (Mitel MiCollab)
- Qualys ThreatPROTECT — CISA warns of Mitel MiCollab active exploitation
- Help Net Security — Mitel MiCollab and Oracle WebLogic exploited by attackers
- CISA Known Exploited Vulnerabilities Catalog
Every source on this list has been read by the editorial team. We do not cite something we have not opened.
Deeper read
Coverage in PatchDay Alert
One email, every weekday morning.
You're in. Check your inbox.