CVE-2024-55550

CVE-2024-55550 is a low-severity vulnerability in Mitel Micollab with a CVSS 3.x base score of 2.7. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-01-07). The underlying weakness is classified as CWE-22.

Key facts

Description

Mitel MiCollab through 9.8 SP2 could allow an authenticated attacker with administrative privilege to conduct a local file read, due to insufficient input sanitization. A successful exploit could allow the authenticated admin attacker to access resources that are constrained to the admin access level, and the disclosure is limited to non-sensitive system information. This vulnerability does not allow file modification or privilege escalation.

CVE-2024-55550: Mitel MiCollab Path Traversal Enabling Local File Read by Authenticated Admins

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2024-55550 affects Mitel MiCollab collaboration platform versions through 9.8 SP2. An authenticated attacker possessing administrative privileges can exploit insufficient input sanitization to conduct a local file read via path traversal. While the CVSS 3.1 base score of 2.7 classifies this as LOW severity, the vulnerability has been actively exploited in the wild since January 2025 and carries an EPSS probability of 0.38104—placing it in the 98.37th percentile of scored CVEs.

Background

Mitel MiCollab is a unified communications and collaboration platform widely deployed in enterprise environments for messaging, voice, video, and team collaboration. The platform exposes administrative interfaces that handle file and resource requests. In affected versions, certain endpoints fail to adequately validate or sanitize user-supplied file paths, creating a traversal surface that an already-authenticated administrator can abuse.

Root Cause

The vulnerability is categorized under CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). The root cause is insufficient input sanitization on file-path parameters within the administrative interface. When an admin user submits a request referencing a file, the application does not sufficiently restrict the supplied path to the intended directory boundary. This allows directory-traversal sequences (such as ../ or equivalent encoded variants) to escape the intended resource directory and reach arbitrary files readable by the web server or application process.

Because the attacker must already hold administrative credentials, this is not an unauthenticated entry point—but it is an access-control failure within the privileged surface, allowing an admin to exceed their intended authorization scope.

Impact

The CVSS 3.1 vector for this issue is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N, yielding a base score of 2.7 (LOW). Breaking this down:

  • Attack Vector (AV): Network — The vulnerable endpoint is reachable over the network.
  • Attack Complexity (AC): Low — No special conditions or race windows are required.
  • Privileges Required (PR): High — The attacker must be authenticated with administrative privileges.
  • User Interaction (UI): None — No victim interaction is needed.
  • Scope (S): Unchanged — The vulnerable component does not impact resources beyond its security scope.
  • Confidentiality (C): Low — Successful exploitation yields limited information disclosure.
  • Integrity (I): None — File modification is not possible.
  • Availability (A): None — No denial-of-service impact.

The NVD summary explicitly states that disclosure is limited to non-sensitive system information, and the vulnerability does not enable file modification or privilege escalation. However, even "non-sensitive" system files—such as configuration snippets, log fragments, or internal path structures—can aid an attacker in reconnaissance, lateral movement, or crafting follow-on attacks.

Exploitation Walkthrough

Ethics caveat: The following description is provided for defensive awareness and detection engineering only. No working exploit code is supplied, and attempting to reproduce this vulnerability on systems you do not own or have explicit written authorization to test is illegal in most jurisdictions and violates the Computer Fraud and Abuse Act (CFAA) and comparable laws globally.

An attacker with valid admin credentials authenticates to the MiCollab administrative web interface. The attacker navigates to a component that accepts a filename or file-path parameter—commonly found in backup, log-viewing, reporting, or file-management modules. By supplying a path containing traversal sequences (for example, ../../../etc/passwd or ..\..\..\windows\win.ini, depending on the underlying operating system and encoding behavior), the attacker coerces the application to resolve the path outside the intended directory.

Because the application lacks sufficient validation—such as canonicalization, allow-listing of permitted directories, or rejection of parent-directory references—the operating system returns the requested file contents within the HTTP response. The attacker observes the file contents in the browser or API response, harvesting system information that may reveal software versions, directory structures, or configuration details useful for further targeting.

From a defender's perspective, the critical observation is that all exploitation traffic originates from an authenticated admin session. This means the attack will not appear as an anonymous brute-force or scanning event; it will carry a valid session token and may blend with legitimate administrative activity.

Affected and Patched Versions

Status Versions
Affected Mitel MiCollab through 9.8 SP2
Patched No fixed version specified in currently available advisories.

Mitel has published a product security advisory (MISA-2024-0029), but the advisory visible in source data does not enumerate a specific patch release. Administrators should consult the Mitel Security Advisories portal directly for the latest patch guidance and release notes.

Remediation

  1. Apply vendor patches as soon as available. Monitor Mitel's security advisory page for updates to MiCollab beyond 9.8 SP2 and prioritize patching during the next maintenance window.

  2. Restrict administrative access. Because this vulnerability requires admin credentials, enforce strict network segmentation for MiCollab admin interfaces:

    • Limit administrative access to a dedicated management VLAN or jump host.
    • Require VPN or bastion access rather than exposing admin panels directly to the internet.
    • Enforce IP allow-listing where feasible.
  3. Review admin accounts. Conduct an audit of active administrative accounts. Disable or remove unused admin accounts, enforce MFA on all privileged accounts, and monitor for unexpected account creations or privilege changes.

  4. Compensating controls at the edge. If immediate patching is not possible, deploy a Web Application Firewall (WAF) or reverse proxy rule set that blocks path-traversal patterns in HTTP request parameters. While this is not a substitute for patching, it adds a layer of defense-in-depth.

Detection

Defenders should instrument the following detection opportunities:

  • WAF or proxy logs: Alert on HTTP requests to MiCollab admin endpoints that contain path-traversal sequences (../, ..\, or URL-encoded variants such as %2e%2e%2f) in query parameters, POST bodies, or headers.
  • File integrity monitoring (FIM): Monitor unexpected file-read events by the MiCollab application process, especially reads outside the application's expected working directories.
  • Authentication logs: Correlate admin sessions with subsequent anomalous API calls or page requests. Look for session tokens that access file-handling endpoints at unusual times or from unusual source IPs.
  • Endpoint detection: On the MiCollab host, monitor for the application worker process opening files outside its installation and data directories.

Assessment

The 2.7 CVSS score understates the operational risk of CVE-2024-55550. Two contextual factors elevate its real-world severity:

  • EPSS = 0.38104 (98.37th percentile): The Exploit Prediction Scoring System estimates a roughly 38% probability of exploitation within 30 days—extraordinarily high for a LOW-severity CVE. This reflects observed exploitation trends rather than theoretical impact.
  • Known Exploited Vulnerability (KEV) status: CISA added this CVE to the KEV catalog on 7 January 2025, and the EU Vulnerability Database (EUVD-2024-52803) also flags it as exploited in the wild since the same date. Active exploitation confirms that threat actors have operationalized this flaw despite its low base score.

Key lessons:

  1. CVSS is not the whole story. A LOW severity rating does not preclude active exploitation. Security teams should weight EPSS and KEV status at least as heavily as base CVSS when triaging patches.
  2. Insider-threat surfaces matter. Vulnerabilities that require admin credentials are sometimes deprioritized, yet compromised admin accounts, social engineering, or supply-chain breaches routinely deliver privileged access to external attackers. Every privileged function should treat input with the same skepticism as an unauthenticated boundary.

References

Frequently asked questions

What is CVE-2024-55550?
Mitel MiCollab through 9.8 SP2 could allow an authenticated attacker with administrative privilege to conduct a local file read, due to insufficient input sanitization. A successful exploit could allow the authenticated admin attacker to access resources that are constrained to the admin access level, and the disclosure is limited to non-sensitive system information. This vulnerability does not allow file modification or privilege escalation.
How severe is CVE-2024-55550?
CVE-2024-55550 has a CVSS 3.x base score of 2.7, rated low severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2024-55550 being actively exploited?
Yes. CVE-2024-55550 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-01-07, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-55550?
CVE-2024-55550 affects Mitel Micollab. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-55550?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-55550 have an EU (EUVD) identifier?
Yes. CVE-2024-55550 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-52803. It is also flagged as exploited in the EUVD (since 2025-01-07).
When was CVE-2024-55550 published?
CVE-2024-55550 was published on 2024-12-10 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Mitel Micollab

All CVEs affecting Mitel Micollab →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →