Command Injection in Mitel products - CVE-2024-41711

 

Command Injection in Mitel products - CVE-2024-41711

Published: July 22, 2024 / Updated: January 30, 2025


Vulnerability identifier: #VU94633
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-41711
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Mitel
Affected software:
6800 Series SIP Phones
6900 Series SIP Phones
6900w Series SIP Phone
6970 Conference Unit

Detailed vulnerability description

The vulnerability allows a local attacker to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation. An attacker with physical access can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


How to mitigate CVE-2024-41711

Install updates from vendor's website.

Sources