CVE-2024-41710

Warning

Exploit

EPSS 19.68%
Published 12.08.2024 19:15:16
Last modified 18.02.2025 15:28:00
Source cve@mitre.org
Teams watchlist Login
Open Login

A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6.4.0.HF1 (R6.4.0.136) could allow an authenticated attacker with administrative privilege to conduct an argument injection attack, due to insufficient parameter sanitization during the boot process. A successful exploit could allow an attacker to execute arbitrary commands within the context of the system.

Affected products Warnungen 1 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Mitel ≫ 6970 Firmware Version <= 6.4.0.136

Mitel ≫ 6970 Version-

Mitel ≫ 6940w Sip Firmware Version <= 6.4.0.136

Mitel ≫ 6940w Sip Version-

Mitel ≫ 6930w Sip Firmware Version <= 6.4.0.136

Mitel ≫ 6930w Sip Version-

Mitel ≫ 6920w Sip Firmware Version <= 6.4.0.136

Mitel ≫ 6920w Sip Version-

Mitel ≫ 6920 Sip Firmware Version <= 6.4.0.136

Mitel ≫ 6920 Sip Version-

Mitel ≫ 6915 Sip Firmware Version <= 6.4.0.136

Mitel ≫ 6915 Sip Version-

Mitel ≫ 6910 Sip Firmware Version <= 6.4.0.136

Mitel ≫ 6910 Sip Version-

Mitel ≫ 6905 Sip Firmware Version <= 6.4.0.136

Mitel ≫ 6905 Sip Version-

Mitel ≫ 6940 Sip Firmware Version <= 6.4.0.136

Mitel ≫ 6940 Sip Version-

Mitel ≫ 6930 Sip Firmware Version <= 6.4.0.136

Mitel ≫ 6930 Sip Version-

Mitel ≫ 6873i Sip Firmware Version <= 6.4.0.136

Mitel ≫ 6873i Sip Version-

Mitel ≫ 6869i Sip Firmware Version <= 6.4.0.136

Mitel ≫ 6869i Sip Version-

Mitel ≫ 6867i Sip Firmware Version <= 6.4.0.136

Mitel ≫ 6867i Sip Version-

Mitel ≫ 6865i Sip Firmware Version <= 6.4.0.136

Mitel ≫ 6865i Sip Version-

Mitel ≫ 6863i Sip Firmware Version <= 6.4.0.136

Mitel ≫ 6863i Sip Version-

12.02.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Mitel SIP Phones Argument Injection Vulnerability

Vulnerability

Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, contain an argument injection vulnerability due to insufficient parameter sanitization during the boot process. Successful exploitation may allow an attacker to execute arbitrary commands within the context of the system.

Description

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	19.68%	0.952

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.8	0.9	5.9	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

https://www.mitel.com/support/security-advisories

Vendor Advisory

https://github.com/kwburns/CVE/blob/main/Mitel/6.3.0.1020/README.md

Third Party Advisory

Exploit

https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0019

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-41710

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-41710

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-41710

EUVD