Cyber Resilience

CVE-2024-55550

LowCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 10 December 2024

Published
10 December 2024
Modified
04 November 2025
KEV Added
07 January 2025
Patch
CVSS Score v3.1 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.1772 95.3th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55550 is a low-severity Path Traversal (CWE-22) vulnerability in Mitel Micollab. Its CVSS base score is 2.7 (Low).

Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Mitel MiCollab through version 9.8 SP2 contains a path traversal vulnerability (CWE-22) that stems from insufficient input sanitization. An authenticated administrative user can supply crafted input to read arbitrary local files on the affected system. The flaw is rated CVSS 2.7 and permits access only to non-sensitive system information within the administrator’s existing privilege level; it does not enable file modification or privilege escalation.

An attacker who already possesses administrative credentials can exploit the issue over the network to retrieve files that would otherwise be inaccessible through normal administrative interfaces. Because the vulnerability requires high privileges, the attack surface is limited to insiders or compromised admin accounts, and successful exploitation yields only read access to constrained, non-sensitive resources.

Mitel has published security advisory MISA-2024-0029, available alongside general product security updates at mitel.com/support/security-advisories, that addresses the flaw. The advisory outlines the affected releases and directs administrators to apply the vendor-supplied remediation.

The CVE appears in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. Its EPSS score rose from a low baseline after disclosure to a peak of 0.4272 on 2025-01-09 before receding to the current value of 0.1772, indicating a measurable increase in exploitation interest following public release.

EU & UK References

Vulnerability details

Mitel MiCollab through 9.8 SP2 could allow an authenticated attacker with administrative privilege to conduct a local file read, due to insufficient input sanitization. A successful exploit could allow the authenticated admin attacker to access resources that are constrained to…

more

the admin access level, and the disclosure is limited to non-sensitive system information. This vulnerability does not allow file modification or privilege escalation.

CWE(s)
KEV Date Added
07 January 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mitel
micollab
≤ 9.8.1.201

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of inputs to block the path traversal that enables unauthorized local file reads.

prevent

Mandates prompt application of vendor patches that eliminate the insufficient input sanitization flaw in MiCollab.

prevent

Enforces intended access restrictions so that even administrative accounts cannot read files outside their authorized scope via crafted inputs.

References