- Security professionals at watchTowr have found a new bug in Mitel MiCollab
- Mitel has not released a patch yet
- WatchTowr has suggested a number of measures to minimize the risk
A zero-day vulnerability, which allows criminals to read files they are not supposed to read, is still present in Mitel MiCollab three months after it was reported.
This is evident from a new report from cybersecurity researchers watchTowr, who claim to have found and reported the flaw at the end of August this year.
Mitel MiCollab is a unified communications and collaboration solution designed to improve teamwork and productivity by integrating messaging, voice, video and conferencing tools into a single platform.
WatchTowr researchers were investigating another vulnerability when they discovered a flaw that could allow threat actors to access sensitive information about the accounts on a system. They contacted Mitel, who acknowledged the findings and set a patch deadline for the first week of December this year.
“At the time of publication, there was no update to the Mitel Security Advisory page,” watchTowr said in a recent report. The researchers also released a proof-of-concept detailing how the flaw could be exploited.
Communication and collaboration platforms are often targeted by cybercriminals because they usually contain sensitive information such as contracts, payment information, employee and customer data, and more. Criminals can use that information to pressure victims into paying ransoms, or to conduct phishing attacks that can result in the deployment of ransomware and other malware.
To make matters worse, BleepingComputer claims that MiCollab has also been targeted in the past, suggesting it’s only a matter of time before this new zero-day is exploited, especially now that proof-of-concept is already available.
Since the patch has not yet been released, users are advised to restrict access to the MiCollab server, implement strict firewall rules, monitor logs for suspicious activity, and, if possible, disable access to the ReconcileWIzard servlet (or limit).
Via BleepingComputer