Recent security analyses have uncovered critical vulnerabilities in Mitel’s SIP phone series, notably the 6800, 6900, and 6900w models, including the 6970 Conference Unit. These flaws could allow attackers to execute arbitrary commands remotely, posing significant risks to organizational communications infrastructure.
Overview of Identified Vulnerabilities
The primary concern centers around CVE-2024-41710, a command injection vulnerability present in firmware versions up to R6.4.0.HF1 (R6.4.0.136). This flaw arises from inadequate input sanitization during the boot process, enabling authenticated attackers with administrative privileges to inject malicious commands. Successful exploitation could lead to unauthorized command execution within the system’s context, compromising device confidentiality, integrity, and availability. ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2024-41710?utm_source=openai))
Another significant issue is CVE-2024-41711, which affects the same series of SIP phones. This unauthenticated command injection vulnerability allows remote attackers to execute arbitrary commands without authentication, due to improper input handling in the web administration interface. The high CVSS score of 8.8 underscores the critical nature of this flaw. ([onekey.com](https://www.onekey.com/resource/security-advisory-unauthenticated-command-injection-in-mitel-ip-phones?utm_source=openai))
Exploitation and Impact
In early 2025, the Aquabot botnet, a variant of the Mirai malware, began exploiting CVE-2024-41710. Attackers utilized this vulnerability to gain root access to affected devices, enabling them to execute arbitrary commands and integrate the phones into a botnet capable of launching distributed denial-of-service (DDoS) attacks. The malware propagated by fetching and executing shell scripts, which in turn downloaded Mirai binaries tailored for various architectures, including x86 and ARM. ([securityweek.com](https://www.securityweek.com/aquabot-botnet-targeting-vulnerable-mitel-phones/?utm_source=openai))
The exploitation of these vulnerabilities poses severe risks, including unauthorized access to sensitive information, disruption of telephony services, and potential lateral movement within organizational networks. Given the widespread deployment of Mitel SIP phones in enterprise environments, the impact of such attacks can be extensive.
Mitigation Measures
Mitel has responded by releasing firmware updates to address these vulnerabilities. For CVE-2024-41710, the company issued a security advisory (24-0019) recommending customers update to the latest firmware versions. ([mitel.com](https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0010?utm_source=openai)) Similarly, for CVE-2024-41711, Mitel published advisory 24-0020, urging users to apply the necessary patches. ([onekey.com](https://www.onekey.com/resource/security-advisory-unauthenticated-command-injection-in-mitel-ip-phones?utm_source=openai))
Organizations utilizing affected Mitel SIP phones should take the following steps:
1. Firmware Updates: Immediately update devices to the latest firmware versions as specified in Mitel’s security advisories.
2. Network Segmentation: Isolate SIP phones from critical network segments to limit potential lateral movement by attackers.
3. Access Controls: Implement strict access controls and change default administrative credentials to reduce the risk of unauthorized access.
4. Monitoring and Logging: Enable comprehensive logging and monitor for unusual activity that may indicate exploitation attempts.
5. User Training: Educate staff on recognizing phishing attempts and other common attack vectors that could lead to credential compromise.
Conclusion
The discovery of these critical vulnerabilities in Mitel SIP phones highlights the importance of proactive security measures in telecommunications infrastructure. Organizations must prioritize timely firmware updates, robust access controls, and continuous monitoring to safeguard against potential exploits. By addressing these vulnerabilities promptly, businesses can protect their communication systems from unauthorized access and potential service disruptions.
