CVE-2025-52913
Published: 08 August 2025
Summary
CVE-2025-52913 is a critical-severity Path Traversal (CWE-22) vulnerability in Mitel MiCollab (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
A path traversal vulnerability exists in the NuPoint Unified Messaging component of Mitel MiCollab through version 9.8 SP2 (9.8.2.12). The flaw stems from insufficient input validation and is tracked as CWE-22, carrying a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can exploit the issue over the network to perform path traversal, resulting in unauthorized access that permits viewing, corrupting, or deleting user data and system configurations.
Mitel has published security advisories addressing the vulnerability at https://www.mitel.com/support/security-advisories and https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0007.
The associated EPSS score remains flat at 0.0152 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24008
Vulnerability details
A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP2 (9.8.2.12) could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation. A successful exploit could allow unauthorized access, enabling…
more
the attacker to view, corrupt, or delete users' data and system configurations.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing NuPoint Unified Messaging component directly enables remote unauthenticated exploitation of an Internet-facing application for data access, file corruption, and deletion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause of insufficient input validation enabling path traversal attacks in crafted requests to the NPM component.
Enforces logical access controls to restrict unauthorized viewing, corruption, or deletion of users' data and system configurations targeted by the traversal exploit.
Monitors and controls network communications to the vulnerable NPM component, mitigating remote unauthenticated exploitation over the network.