CVE-2024-41713

CVE-2024-41713 is a critical-severity vulnerability in Mitel Micollab with a CVSS 3.x base score of 9.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-01-07). The underlying weakness is classified as CWE-22.

Key facts

Description

A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.

CVE-2024-41713: Mitel MiCollab NuPoint Path Traversal Enables Data Compromise

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2024-41713
Vendor Mitel
Product MiCollab (NuPoint Unified Messaging)
CVSS v3.1 9.1 (Critical) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE CWE-22 — Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
EPSS 0.98067 (99.9th percentile)
KEV Listed Yes — added 2025-01-07
EU Exploited Yes — since 2025-01-07

Summary

A path traversal vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab allows an unauthenticated remote attacker to access files and directories outside the intended scope. Successful exploitation grants unauthorized read, write, and delete access to user data and system configuration files, effectively compromising confidentiality and integrity of the affected system.

Background

Mitel MiCollab is a unified communications and collaboration platform widely deployed in enterprise and public-sector environments. The NuPoint Unified Messaging (NPM) module provides voicemail, auto-attendant, and messaging services. Because this component is typically exposed to the network and handles sensitive communications data, any unauthenticated vulnerability in NPM represents a high-value attack surface.

Root Cause

CWE-22: Path Traversal. The NPM component fails to adequately sanitize user-supplied input when constructing file paths. An attacker can inject directory traversal sequences (e.g., ../) into requests processed by the NPM service, causing the application to resolve paths outside its intended directory sandbox. This insufficient input validation allows filesystem access at the privilege level of the web or application server process.

Impact

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N scores this vulnerability at 9.1 (Critical):

  • Attack Vector (AV:N) — Exploitable remotely over the network without any prerequisites.
  • Attack Complexity (AC:L) — No special conditions or advanced techniques required.
  • Privileges Required (PR:N) — No authentication needed.
  • User Interaction (UI:N) — Fully automated exploitation possible.
  • Confidentiality (C:H) — Attackers can read sensitive files including user data and configuration backups.
  • Integrity (I:H) — Attackers can corrupt or delete files, altering system behavior or destroying evidence.
  • Availability (A:N) — The CVSS scoring does not flag direct availability impact, but file deletion can induce downtime.

In practice, this enables data exfiltration, system reconfiguration, and potential lateral-movement staging.

Exploitation Walkthrough (Defensive Perspective)

Ethics caveat: This section describes the vulnerability mechanism from a defender's point of view. No weaponized exploit code is provided.

  1. Reconnaissance — The attacker identifies a MiCollab instance with the NPM component enabled (commonly exposed on standard web ports).
  2. Path Injection — The attacker sends a crafted HTTP request containing directory traversal sequences in a parameter or URI path handled by NPM.
  3. Filesystem Resolution — Due to missing input validation, the application resolves the injected path to a location outside the webroot or intended sandbox.
  4. Unauthorized Access — The attacker retrieves, modifies, or deletes arbitrary files accessible to the service account, such as voicemail stores, configuration files, or operating-system files.

Defenders should assume that proof-of-concept techniques are publicly known and that active exploitation has been confirmed by CISA and EU authorities.

Affected and Patched Versions

  • Affected: Mitel MiCollab through 9.8 SP1 FP2 (version 9.8.1.201)
  • Patched: Contact Mitel or refer to Mitel Security Advisory MISA-2024-0029 for fixed release information.

Remediation

  1. Apply Vendor Patch — Upgrade to a Mitel MiCollab version that addresses CVE-2024-41713 per MISA-2024-0029 as soon as possible.
  2. Restrict Network Exposure — Place MiCollab/NPM services behind a firewall or VPN; do not expose the admin or messaging interfaces directly to the internet.
  3. Input Validation (Compensating Control) — If immediate patching is not feasible, deploy a Web Application Firewall (WAF) rule to block URI paths containing traversal sequences (../, %2e%2e%2f, etc.). Note that this is a temporary measure and not a substitute for patching.
  4. Principle of Least Privilege — Ensure the NPM service runs under a dedicated, low-privilege account with minimal filesystem access.

Detection

  • Network Monitoring — Alert on HTTP requests to NPM endpoints containing encoded or literal traversal sequences.
  • File Integrity Monitoring (FIM) — Monitor critical system directories and MiCollab configuration paths for unexpected modifications.
  • Endpoint Detection — Look for anomalous file-access patterns by the MiCollab or NPM service account.
  • Threat Intelligence — Cross-reference source IPs against known exploit-in-the-wild indicators; EPSS of 0.98067 indicates near-certain active exploitation probability.

Assessment

With an EPSS of 0.98067 (99.9th percentile) and confirmed inclusion in both the CISA KEV catalog and EU exploited-vulnerability database, CVE-2024-41713 is not a theoretical risk — it is actively exploited in the wild. The absence of an authentication barrier makes this vulnerability trivially exploitable by opportunistic and targeted actors alike.

Key lessons:

  1. Sanitize every path — Frameworks and custom code must canonicalize and validate all filesystem paths before use.
  2. Monitor exposure — Communications platforms with internet-facing components require rapid patch cycles and continuous attack-surface review.

References

Frequently asked questions

What is CVE-2024-41713?
A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.
How severe is CVE-2024-41713?
CVE-2024-41713 has a CVSS 3.x base score of 9.1, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
Is CVE-2024-41713 being actively exploited?
Yes. CVE-2024-41713 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-01-07, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-41713?
CVE-2024-41713 affects Mitel Micollab. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-41713?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-41713 have an EU (EUVD) identifier?
Yes. CVE-2024-41713 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-39339. It is also flagged as exploited in the EUVD (since 2025-01-07).
When was CVE-2024-41713 published?
CVE-2024-41713 was published on 2024-10-21 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Mitel Micollab

All CVEs affecting Mitel Micollab →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →