CVE-2023-32748

Vulnerability

An improper access control vulnerability exists in the Linux DVS server component of Mitel MiVoice Connect through version 19.3 SP2 (22.24.1500.0). This flaw allows an unauthenticated attacker with internal network access to execute arbitrary scripts, as cited in the advisory [2].

Exploitation

An attacker must have internal network access to the affected MiVoice Connect deployment; no authentication is required. The improper access control permits the attacker to send crafted requests to the Linux DVS server, resulting in arbitrary script execution. No user interaction or additional privileges are needed [2].

Impact

Successful exploitation enables the attacker to execute arbitrary scripts on the affected Linux DVS server. This can lead to full compromise of the system, including information disclosure, potential lateral movement within the network, and disruption of services [2].

Mitigation

Mitel has released new versions of the affected software. Customers are advised to update to the latest available versions and apply the mitigation measures detailed in the product security advisory [2]. General guidance and future updates can be found on Mitel's security advisories page [1].