Critical Vulnerabilities in Mitel SIP Phones Let Attackers Inject Malicious Commands
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Security researchers have discovered two significant vulnerabilities affecting Mitel\u2019s suite of SIP phones that could allow attackers to execute arbitrary commands and upload malicious files.<\/p>\n
The more severe vulnerability, identified as CVE-2025-47188, received a critical CVSS score of 9.8 and affects the company\u2019s 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit.<\/p>\n
This command injection vulnerability stems from insufficient parameter sanitization that could potentially expose sensitive system and user configuration data while affecting device availability and operations.<\/p>\n
The command injection vulnerability is particularly concerning as it requires no authentication to exploit.<\/p>\n
When successfully leveraged, attackers gain the ability to execute arbitrary commands<\/a> within the context of the phone\u2019s system.<\/p>\n This could lead to complete compromise of the device, allowing attackers to access sensitive data, modify configurations, or even render the device inoperable.<\/p>\n The attack vector is particularly dangerous as it provides attackers with elevated privileges within the phone\u2019s operating environment.<\/p>\n Alongside the critical command injection flaw, security researchers also discovered an unauthenticated file upload vulnerability (CVE-2025-47187) with a medium severity rating of 5.3.<\/p>\n This secondary vulnerability enables attackers to upload arbitrary WAV files to affected devices, potentially exhausting the phone\u2019s storage capacity.<\/p>\n While less severe than its counterpart, this vulnerability represents another entry point that malicious actors could exploit to disrupt operations.<\/p>\n Mitel analysts identified<\/a> that successful exploitation of these vulnerabilities requires network access to the targeted phones.<\/p>\n The researchers noted that while this somewhat limits the attack surface, many organizations deploy these devices on internal networks that may already be compromised through other means, creating a significant security risk for enterprise communications infrastructure.<\/p>\n The affected products include all versions of the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit running firmware version R6.4.0.SP4 and earlier.<\/p>\n The vulnerabilities were brought to Mitel\u2019s attention by Marc Bollhalder of InfoGuard Labs, highlighting the importance of coordinated vulnerability disclosure in telecommunications security<\/a>.<\/p>\n The command injection vulnerability exists in the phone\u2019s web interface processing components, where certain parameters are not properly sanitized before being passed to system commands.<\/p>\n When exploited, an attacker can append malicious commands<\/a> using command separators (like semicolons or pipes) that are then executed with the privileges of the web server process.<\/p>\n This allows for a wide range of potential attacks, from data exfiltration to persistent access.<\/p>\n For example, a typical exploitation pattern might involve sending a specially crafted HTTP request to an affected device where a legitimate parameter value is followed by command separators and arbitrary commands:-<\/p>\n Mitel has addressed both vulnerabilities in the R6.4.0.SP5 firmware update released on May 7, 2025.<\/p>\n Organizations using affected Mitel SIP phones are strongly encouraged to update to this version or later to mitigate the risk.<\/p>\n For organizations unable to update immediately, Mitel recommends implementing network segmentation<\/a> to restrict access to these devices and reviewing additional mitigation strategies detailed in knowledge base article SO8496.<\/p>\n The post Critical Vulnerabilities in Mitel SIP Phones Let Attackers Inject Malicious Commands<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nExploitation Mechanism and Mitigation<\/strong><\/h2>\n
GET \/config?parameter=legitimate_value;malicious_command HTTP\/1.1\nHost: [target_ip]<\/code><\/pre>\nAre you from the SOC and DFIR Teams? \u2013 Analyse Real time Malware Incidents with ANY.RUN ->\u00a0Start Now for Free<\/a>.<\/strong><\/code><\/strong><\/p>\n