Security researchers have discovered two significant vulnerabilities affecting Mitel’s suite of SIP phones that could allow attackers to execute arbitrary commands and upload malicious files. The more severe vulnerability, identified as CVE-2025-47188, received a critical CVSS score of 9.8 and affects the company’s 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit. The affected products include all versions of the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit running firmware version R6.4.0.SP4 and earlier. This command injection vulnerability stems from insufficient parameter sanitization that could potentially expose sensitive system and user configuration data while affecting device availability and operations. The researchers noted that while this somewhat limits the attack surface, many organizations deploy these devices on internal networks that may already be compromised through other means, creating a significant security risk for enterprise communications infrastructure. This secondary vulnerability enables attackers to upload arbitrary WAV files to affected devices, potentially exhausting the phone’s storage capacity. The command injection vulnerability exists in the phone’s web interface processing components, where certain parameters are not properly sanitized before being passed to system commands. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. For organizations unable to update immediately, Mitel recommends implementing network segmentation to restrict access to these devices and reviewing additional mitigation strategies detailed in knowledge base article SO8496. The vulnerabilities were brought to Mitel’s attention by Marc Bollhalder of InfoGuard Labs, highlighting the importance of coordinated vulnerability disclosure in telecommunications security. Mitel analysts identified that successful exploitation of these vulnerabilities requires network access to the targeted phones. Organizations using affected Mitel SIP phones are strongly encouraged to update to this version or later to mitigate the risk. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. When successfully leveraged, attackers gain the ability to execute arbitrary commands within the context of the phone’s system. This could lead to complete compromise of the device, allowing attackers to access sensitive data, modify configurations, or even render the device inoperable. When exploited, an attacker can append malicious commands using command separators (like semicolons or pipes) that are then executed with the privileges of the web server process.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 12 May 2025 06:30:00 +0000