Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Command Injection in Mitel 6800/6900/6900w Series SIP Phones

IdentifiersCVE-2024-41710CWE-78

CVE-2024-41710 is a command/argument injection vulnerability affecting Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through firmware R6.4.0.HF1 (R6.4.0.136). The issue is caused by insufficient parameter sanitization during the boot process, allowing an authenticated attacker with administrative privileges to inject crafted arguments that are interpreted by the underlying system. Public reporting and observed exploitation indicate the flaw can be abused via device configuration handling, including the 8021xsupport.html endpoint, to introduce malicious content that is later processed during boot. Successful exploitation results in arbitrary command execution in the system context; supporting reporting indicates this can lead to root-level access on affected devices.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary command execution on the affected SIP phone. Based on the supporting reporting, exploitation can yield root access on the device, enabling full compromise of the phone, execution of malware, modification of configuration, persistence, and use of the device as a botnet node. In observed in-the-wild activity, attackers used the flaw to fetch and execute shell scripts that installed Mirai-derived malware for DDoS operations.

Mitigation

If you can’t patch tonight, do this now.

Restrict administrative access to trusted management networks only, disable or tightly control remote administration, and limit exposure of phone management interfaces and provisioning paths from untrusted networks. Enforce strong unique administrator credentials, monitor for unexpected access to configuration-related endpoints such as 8021xsupport.html, and inspect outbound connections for suspicious payload retrieval or C2 traffic. Where immediate patching is not possible, isolate vulnerable phones with network segmentation and egress filtering to reduce the likelihood of exploitation and post-compromise malware download.

Remediation

Patch, then assume compromise.

Upgrade affected Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, to a fixed firmware release newer than R6.4.0.HF1 (R6.4.0.136), in accordance with Mitel vendor guidance. Review device configurations for unauthorized changes, inspect for indicators of compromise, and reimage or factory-reset and reprovision devices if compromise is suspected, since successful exploitation may provide root-level execution and persistence.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Mitel6863i Sip Firmwareoperating_system
Mitel6865i Sip Firmwareoperating_system
Mitel6867i Sip Firmwareoperating_system
Mitel6869i Sip Firmwareoperating_system
Mitel6873i Sip Firmwareoperating_system
Mitel6905 Sip Firmwareoperating_system
Mitel6910 Sip Firmwareoperating_system
Mitel6915 Sip Firmwareoperating_system
Mitel6920 Sip Firmwareoperating_system
Mitel6920w Sip Firmwareoperating_system
Mitel6930 Sip Firmwareoperating_system
Mitel6930w Sip Firmwareoperating_system
Mitel6940 Sip Firmwareoperating_system
Mitel6940w Sip Firmwareoperating_system
Mitel6970 Conference Firmwareoperating_system
Mitel6970 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-41710
NVD
nvd.nist.gov/vuln/detail/CVE-2024-41710
MITRE CWE · CWE-78
cwe.mitre.org
Vendor Advisory
mitel.com/support/security-advisories
Vendor Advisory
mitel.com/support/security-advisories/mitel-product-security-advisory-24-0019
Third Party Advisory
github.com/kwburns/CVE/blob/main/Mitel/6.3.0.1020/README.md
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-41710