Mitel reports critical path traversal flaw in Mitel MiCollab
Take action: If you have Mitel MiCollab systems running version 9.8 SP2 or earlier, immediately upgrade to version 9.8 SP3 or apply the available patch to fix CVE-2025-23092. Hackers love the Mitel platform since it's a messaging platform exposed to the world by it's very design. Don't ignore this one.
Learn More
Mitel is reporting a critical path traversal vulnerability in its MiCollab communications and collaboration platform that can be exploited remotely without authentication. Mitel MiCollab is a widely deployed communications and collaboration platform that provides organizations with integrated voice, video, chat, web conferencing, and team collaboration capabilities.
The vulnerability is tracked as CVE-2025-23092 (CVSS score 9.8), and is caused by insufficient input validation in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab. If exploited, an attacker could gain unauthenticated access to provisioning information including non-sensitive user and network information and perform unauthorized administrative actions on the MiCollab Server.
This flaw is a bypass of the patch for CVE-2024-41713, a similar path traversal vulnerability disclosed in fall 2024. CISA warned in early 2025 that CVE-2024-41713 had been exploited in the wild.
The vulnerability affects MiCollab Community Edition and Enterprise Edition versions 9.8 SP2 (9.8.2.12) and earlier.
Organizations running these versions are urged to upgrade immediately to version 9.8 SP3 (9.8.3.1) or later to mitigate the risk. MiCollab 10.0.0.26 and later versions are not affected. For organizations unable to upgrade immediately, Mitel has provided a patch that is available for releases 6.0 and above.
