Cyber Resilience

CVE-2024-41713

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 21 October 2024

Published
21 October 2024
Modified
04 November 2025
KEV Added
07 January 2025
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.9391 99.9th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41713 is a critical-severity Path Traversal (CWE-22) vulnerability in Mitel Micollab. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

Deeper analysis

A path traversal vulnerability exists in the NuPoint Unified Messaging component of Mitel MiCollab versions through 9.8 SP1 FP2 (9.8.1.201). The flaw stems from insufficient input validation (CWE-22) and carries a CVSS 3.1 score of 9.1, reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated remote attacker can exploit the issue to perform path traversal, resulting in unauthorized access that permits viewing, corrupting, or deleting user data and system configuration files. The attack requires no privileges and can affect confidentiality and integrity without impacting availability.

Mitel's security advisory MISA-2024-0029 addresses the flaw, and the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation. The associated EPSS score has reached a peak of 0.9515 with a current value of 0.9391.

No AI/ML-specific elements are noted in the provided details.

EU & UK References

Vulnerability details

A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access,…

more

enabling the attacker to view, corrupt, or delete users' data and system configurations.

CWE(s)
KEV Date Added
07 January 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mitel
micollab
≤ 9.8.1.201

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References