CVE-2024-35314

CRITICAL

Mitel MiCollab <= 9.7.1.110 & MiVoice Business Virtual Instance 1.0.0.25 - Unauthenticated Command Injection

Title source: llm

Description

A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit requires user interaction and could allow an attacker to execute arbitrary scripts.

References (2)

Core 2

Core References

Broken Link

https://www.mitel.com/-/media/mitel/file/pdf/support/security-advisories/security-bulletin_24-0015-001-v3.pdf

Vendor Advisory

https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0015

Scores

CVSS v3 9.8

EPSS 0.0175

EPSS Percentile 74.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

mitel/micollab < 9.7.1.110

mitel/mivoice_business_solution_virtual_instance 1.0.0.25

Published Oct 21, 2024

Tracked Since Feb 18, 2026