.jpg)
A zero-day arbitrary file read vulnerability found in Mitel MiCollab has raised significant concerns about data security. Attackers can exploit this flaw and chain it with a critical bug (CVE-2024-35286) to access sensitive data stored on vulnerable instances of the platform. Mitel MiCollab is a cross-platform collaboration tool offering services such as instant messaging, SMS, voice and video calls, file sharing, and remote desktop sharing, designed to enhance workplace collaboration without verbal communication.
The Risks of Collaboration Platform Vulnerabilities
Data storage and handling of sensitive information are integral to modern organizations’ operations. According to WatchTower researchers, the Mitel MiCollab platform has a zero-day vulnerability that allows attackers to perform arbitrary file reads. However, to exploit this issue, attackers require access to the server’s filesystem. The vulnerability impacts a range of businesses, from large corporations to SMEs and remote or hybrid workforce setups, all relying on MiCollab for unified communication.
WatchTower reported the issue to Mitel on August 26, 2024, but after 90 days without a fix, the vulnerability remains unresolved. A report by WatchTower revealed that more than 16,000 MiCollab instances accessible via the internet are affected. Despite the lack of a CVE number assigned to the flaw, attackers can inject path traversals via the ‘ReconcileWizard’ servlet, exploiting the ‘reportName
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: