Cybersecurity researchers have released a proof-of-concept (PoC) exploit combining a now-patched critical vulnerability (CVE-2024-41713, CVSS 9.8) in Mitel MiCollab's NuPoint Unified Messaging (NPM) component with an arbitrary file read zero-day, enabling attackers to access sensitive files. The vulnerability, caused by insufficient input validation, allows unauthenticated path traversal via the ReconcileWizard component. Mitel patched this flaw in MiCollab version 9.8 SP2 (October 2024) but noted its potential to expose non-sensitive system information and enable unauthorized administrative actions. Additional vulnerabilities, including a separate SQL injection flaw (CVE-2024-47223, CVSS 9.4), highlight broader risks in Mitel's components.

‍