Command Execution Vulnerability in Mitel 6869i 4.5.0.41 Devices via Manual Firmware Update Page
CVE-2024-37570

8.8HIGH

Key Information:

Vendor: Mitel
Status: 6869i Sip Firmware
Vendor: CVE Published:; 9 June 2024

Summary

Mitel 6869i devices running version 4.5.0.41 are affected by a security vulnerability stemming from a lack of input sanitization on the Manual Firmware Update page. An authenticated user can exploit this flaw by manipulating the username and path parameters sent to the system. This unsanitized input is passed directly to the busybox ftpget command, enabling the potential for arbitrary command execution within the device's environment.

References

https://github.com/kwburns/CVE/tree/main/Mitel/5.0.0.1018...

https://github.com/kwburns/CVE/blob/main/Mitel/5.0.0.1018...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 9, 2024