Mitel has issued a warning to its customers regarding a critical vulnerability in MiCollab that can be exploited remotely without requiring authentication.

This vulnerability, identified as a path traversal issue, affects the NuPoint Unified Messaging component of MiCollab, although it currently lacks a specific CVE identifier.

Attackers can exploit this flaw to gain unauthorized access to provisioning information, which includes non-sensitive user and network data, and to execute unauthorized administrative actions on the MiCollab Server.

Versions of MiCollab 9.8 SP2 (9.8.2.12) and earlier are vulnerable, while a patch has been made available in versions 9.8 SP3 (9.8.3.1) and later; notably, MiCollab 10.0.0.26 and subsequent versions are not affected.

Mitel had previously released a patch for this vulnerability in February 2025, which serves as a workaround for a similar vulnerability, CVE-2024-41713, disclosed in the fall of 2024.

Earlier in 2025, the cybersecurity agency CISA had warned that CVE-2024-41713 was being actively exploited in the wild, alongside another vulnerability in MiCollab known as CVE-2024-55550.

Researcher Dahmani Toumi discovered this vulnerability and reported that over 20,000 MiCollab instances were exposed to the internet, although the precise number of vulnerable systems remains unclear.

Threat actors have a history of targeting Mitel products, as demonstrated by the recent exploitation of vulnerabilities in Mitel SIP phones by the Aquabot DDoS botnet.

The potential consequences of exploiting this vulnerability include data exposure, service disruptions, and further compromises of the targeted organization's systems.