iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
A pair of vulnerabilities in a popular collaboration suite could allow malicious actors to access sensitive data.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has issued a critical alert regarding a pair of dangerous vulnerabilities in Mitel’s MiCollab collaboration software suite.
“The ASD’s ACSC is tracking multiple vulnerabilities in Mitel MiCollab collaboration software. The vulnerabilities identified are SQL injection and Authentication Bypass/Path Traversal, which may allow access to sensitive content,” the critical alert said.
“We have assessed that there is significant exposure to the Mitel MiCollab vulnerabilities in Australia and that any exploitation would have significant impact to Australian systems and networks.”
CVE-2024-35286 is a flaw in Mitel MiCollab’s NuPoint Messenger, present in versions up to 9.8.0.33. This vulnerability lets an unauthenticated attacker launch a SQL injection attack as user input isn’t properly sanitised. This could lead to a malicious actor executing unauthorised commands and retrieving sensitive data.
CVE-2024-41713 is a vulnerability in Mitel MiCollab’s NuPoint Unified Messaging component, present in versions up to 9.8 SP1 FP2 (9.8.1.201). This bug could allow a malicious actor to execute a path traversal attack, which could lead to that actor viewing, altering, or even deleting user data.
Mitel has released its own advisories on the vulnerabilities, and the ACSC recommends that users of Mitel MiCollab make sure their versions are up to date, be on alert for suspicious activity, and implement firewall policies that limit access to the MiCollab server.
“The ASD’s ACSC is monitoring the situation and is able to provide assistance and advice as required,” the ACSC said.
“Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
