CVE-2024-41713
CVE-2024-41713 is a critical-severity vulnerability in Mitel Micollab with a CVSS 3.x base score of 9.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-01-07). The underlying weakness is classified as CWE-22.
Key facts
- Severity: Critical (CVSS 3.x base score 9.1)
- EPSS exploit prediction: 98% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2025-01-07)
- EU (EUVD) id: EUVD-2024-39339
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2025-01-07)
- Weakness: CWE-22
- Affected product: Mitel Micollab
- Published:
- Last modified:
Description
A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.
CVE-2024-41713: Mitel MiCollab NuPoint Path Traversal Enables Data Compromise
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-41713 |
| Vendor | Mitel |
| Product | MiCollab (NuPoint Unified Messaging) |
| CVSS v3.1 | 9.1 (Critical) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| CWE | CWE-22 — Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) |
| EPSS | 0.98067 (99.9th percentile) |
| KEV Listed | Yes — added 2025-01-07 |
| EU Exploited | Yes — since 2025-01-07 |
Summary
A path traversal vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab allows an unauthenticated remote attacker to access files and directories outside the intended scope. Successful exploitation grants unauthorized read, write, and delete access to user data and system configuration files, effectively compromising confidentiality and integrity of the affected system.
Background
Mitel MiCollab is a unified communications and collaboration platform widely deployed in enterprise and public-sector environments. The NuPoint Unified Messaging (NPM) module provides voicemail, auto-attendant, and messaging services. Because this component is typically exposed to the network and handles sensitive communications data, any unauthenticated vulnerability in NPM represents a high-value attack surface.
Root Cause
CWE-22: Path Traversal. The NPM component fails to adequately sanitize user-supplied input when constructing file paths. An attacker can inject directory traversal sequences (e.g., ../) into requests processed by the NPM service, causing the application to resolve paths outside its intended directory sandbox. This insufficient input validation allows filesystem access at the privilege level of the web or application server process.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N scores this vulnerability at 9.1 (Critical):
- Attack Vector (AV:N) — Exploitable remotely over the network without any prerequisites.
- Attack Complexity (AC:L) — No special conditions or advanced techniques required.
- Privileges Required (PR:N) — No authentication needed.
- User Interaction (UI:N) — Fully automated exploitation possible.
- Confidentiality (C:H) — Attackers can read sensitive files including user data and configuration backups.
- Integrity (I:H) — Attackers can corrupt or delete files, altering system behavior or destroying evidence.
- Availability (A:N) — The CVSS scoring does not flag direct availability impact, but file deletion can induce downtime.
In practice, this enables data exfiltration, system reconfiguration, and potential lateral-movement staging.
Exploitation Walkthrough (Defensive Perspective)
Ethics caveat: This section describes the vulnerability mechanism from a defender's point of view. No weaponized exploit code is provided.
- Reconnaissance — The attacker identifies a MiCollab instance with the NPM component enabled (commonly exposed on standard web ports).
- Path Injection — The attacker sends a crafted HTTP request containing directory traversal sequences in a parameter or URI path handled by NPM.
- Filesystem Resolution — Due to missing input validation, the application resolves the injected path to a location outside the webroot or intended sandbox.
- Unauthorized Access — The attacker retrieves, modifies, or deletes arbitrary files accessible to the service account, such as voicemail stores, configuration files, or operating-system files.
Defenders should assume that proof-of-concept techniques are publicly known and that active exploitation has been confirmed by CISA and EU authorities.
Affected and Patched Versions
- Affected: Mitel MiCollab through 9.8 SP1 FP2 (version 9.8.1.201)
- Patched: Contact Mitel or refer to Mitel Security Advisory MISA-2024-0029 for fixed release information.
Remediation
- Apply Vendor Patch — Upgrade to a Mitel MiCollab version that addresses CVE-2024-41713 per MISA-2024-0029 as soon as possible.
- Restrict Network Exposure — Place MiCollab/NPM services behind a firewall or VPN; do not expose the admin or messaging interfaces directly to the internet.
- Input Validation (Compensating Control) — If immediate patching is not feasible, deploy a Web Application Firewall (WAF) rule to block URI paths containing traversal sequences (
../,%2e%2e%2f, etc.). Note that this is a temporary measure and not a substitute for patching. - Principle of Least Privilege — Ensure the NPM service runs under a dedicated, low-privilege account with minimal filesystem access.
Detection
- Network Monitoring — Alert on HTTP requests to NPM endpoints containing encoded or literal traversal sequences.
- File Integrity Monitoring (FIM) — Monitor critical system directories and MiCollab configuration paths for unexpected modifications.
- Endpoint Detection — Look for anomalous file-access patterns by the MiCollab or NPM service account.
- Threat Intelligence — Cross-reference source IPs against known exploit-in-the-wild indicators; EPSS of 0.98067 indicates near-certain active exploitation probability.
Assessment
With an EPSS of 0.98067 (99.9th percentile) and confirmed inclusion in both the CISA KEV catalog and EU exploited-vulnerability database, CVE-2024-41713 is not a theoretical risk — it is actively exploited in the wild. The absence of an authentication barrier makes this vulnerability trivially exploitable by opportunistic and targeted actors alike.
Key lessons:
- Sanitize every path — Frameworks and custom code must canonicalize and validate all filesystem paths before use.
- Monitor exposure — Communications platforms with internet-facing components require rapid patch cycles and continuous attack-surface review.
References
Frequently asked questions
- What is CVE-2024-41713?
- A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.
- How severe is CVE-2024-41713?
- CVE-2024-41713 has a CVSS 3.x base score of 9.1, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2024-41713 being actively exploited?
- Yes. CVE-2024-41713 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-01-07, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-41713?
- CVE-2024-41713 affects Mitel Micollab. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-41713?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-41713 have an EU (EUVD) identifier?
- Yes. CVE-2024-41713 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-39339. It is also flagged as exploited in the EUVD (since 2025-01-07).
- When was CVE-2024-41713 published?
- CVE-2024-41713 was published on 2024-10-21 and last updated on 2026-06-17.
References
- https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-41713
Affected products (1)
- cpe:2.3:a:mitel:micollab:*:*:*:*:*:-:*:*
More vulnerabilities in Mitel Micollab
- CVE-2024-35314 — Critical (CVSS 9.8): A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual…
- CVE-2024-35286 — Critical (CVSS 9.8): A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to…
- CVE-2024-35285 — Critical (CVSS 9.8): A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to…
- CVE-2022-41326 — Critical (CVSS 9.8): The web conferencing component of Mitel MiCollab through 9.6.0.13 could allow an unauthenticated attacker to upload…
- CVE-2022-36452 — Critical (CVSS 9.8): A vulnerability in the web conferencing component of Mitel MiCollab through 9.5.0.101 could allow an unauthenticated…
- CVE-2022-26143 — Critical (CVSS 9.8): The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1…
All CVEs affecting Mitel Micollab →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…