CVE-2023-39286

Vulnerability

Mitel MiVoice Connect Mobility Router, versions 9.6.2307.103 and earlier [1], contains a Cross Site Request Forgery (CSRF) vulnerability due to insufficient request validation [1]. The flaw resides in the Mobility Router component of the MiVoice Connect solution and requires no authentication to exploit [1].

Exploitation

An unauthenticated attacker can craft a malicious URL that performs state-changing requests on behalf of an authenticated user [1]. The attacker must trick a valid user with administrative privileges into clicking the crafted link or visiting a malicious page while logged into the Mobility Router interface [1]. No network proximity or race condition is required; standard CSRF chaining is sufficient.

Impact

A successful exploit allows the attacker to modify system configuration settings [1]. The impact is limited to unauthorized configuration changes, potentially affecting service availability and network policy, but does not directly achieve remote code execution or full system compromise. The vector targets integrity and availability of the affected system.

Mitigation

Mitel has released updated software to address the vulnerability [1]. Customers should update to the latest available release of MiVoice Connect Mobility Router, as detailed in the vendor advisory [1]. No workaround is described; applying the patch is the recommended action.