Critical Vulnerabilities in Mitel SIP Phones Let Attackers Inject Malicious Commands

Security researchers have discovered two significant vulnerabilities affecting Mitel’s suite of SIP phones that could allow attackers to execute arbitrary commands and upload malicious files.

The more severe vulnerability, identified as CVE-2025-47188, received a critical CVSS score of 9.8 and affects the company’s 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit.

This command injection vulnerability stems from insufficient parameter sanitization that could potentially expose sensitive system and user configuration data while affecting device availability and operations.

The command injection vulnerability is particularly concerning as it requires no authentication to exploit.

When successfully leveraged, attackers gain the ability to execute arbitrary commands within the context of the phone’s system.

This could lead to complete compromise of the device, allowing attackers to access sensitive data, modify configurations, or even render the device inoperable.

The attack vector is particularly dangerous as it provides attackers with elevated privileges within the phone’s operating environment.

Alongside the critical command injection flaw, security researchers also discovered an unauthenticated file upload vulnerability (CVE-2025-47187) with a medium severity rating of 5.3.

This secondary vulnerability enables attackers to upload arbitrary WAV files to affected devices, potentially exhausting the phone’s storage capacity.

While less severe than its counterpart, this vulnerability represents another entry point that malicious actors could exploit to disrupt operations.

Mitel analysts identified that successful exploitation of these vulnerabilities requires network access to the targeted phones.

The researchers noted that while this somewhat limits the attack surface, many organizations deploy these devices on internal networks that may already be compromised through other means, creating a significant security risk for enterprise communications infrastructure.

The affected products include all versions of the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit running firmware version R6.4.0.SP4 and earlier.

The vulnerabilities were brought to Mitel’s attention by Marc Bollhalder of InfoGuard Labs, highlighting the importance of coordinated vulnerability disclosure in telecommunications security.

Exploitation Mechanism and Mitigation

The command injection vulnerability exists in the phone’s web interface processing components, where certain parameters are not properly sanitized before being passed to system commands.

When exploited, an attacker can append malicious commands using command separators (like semicolons or pipes) that are then executed with the privileges of the web server process.

This allows for a wide range of potential attacks, from data exfiltration to persistent access.

For example, a typical exploitation pattern might involve sending a specially crafted HTTP request to an affected device where a legitimate parameter value is followed by command separators and arbitrary commands:-

GET /config?parameter=legitimate_value;malicious_command HTTP/1.1
Host: [target_ip]

Mitel has addressed both vulnerabilities in the R6.4.0.SP5 firmware update released on May 7, 2025.

Organizations using affected Mitel SIP phones are strongly encouraged to update to this version or later to mitigate the risk.

For organizations unable to update immediately, Mitel recommends implementing network segmentation to restrict access to these devices and reviewing additional mitigation strategies detailed in knowledge base article SO8496.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.

The post Critical Vulnerabilities in Mitel SIP Phones Let Attackers Inject Malicious Commands appeared first on Cyber Security News.