Critical flaws in Mitel SIP phones allow command injection and unauthorized file upload

Mitel has addressed multiple security vulnerabilities affecting its SIP phone product line

Vulnerability summary

• CVE-2025-47188 (CVSS score 9.8), is a command injection vulnerability that poses a significant threat to organizations using vulnerable versions of these communication devices. Due to insufficient parameter sanitization, this flaw allows an unauthenticated attacker to execute arbitrary commands within the context of the phone. A successful exploitation could lead to disclosure or modification of sensitive system and user configuration data, potentially affecting device availability and operation.
• CVE-2025-47187 (CVSS score 5.3), an unauthenticated file upload vulnerability that allows attackers to upload arbitrary WAV files due to improper authentication mechanisms, potentially exhausting the phone's storage. Mitel states this would not affect the phone's availability or operation.

Incidents from January 2025 demonstrate that the Mirai botnet has already exploited similar security vulnerabilities in Mitel phones to distribute malware. 

The vulnerabilities affect the following Mitel products with versions R6.4.0.SP4 and earlier:

• Mitel 6800 Series SIP Phones
• Mitel 6900 Series SIP Phones
• Mitel 6900w Series SIP Phones
• Mitel 6970 Conference Unit

Users of affected products are strongly advised to upgrade to version R6.4.0.SP5 or later as soon as possible. For customers unable to update immediately, Mitel recommends reviewing available workarounds detailed in their Knowledge Base article SO8496, "Mitel 6800 Series, 6900 Series and 6900w Series SIP Phones, including 6970 Conference Unit Security Update, CVE-2025-47187 and CVE-2025-47188."