CVE-2023-39287

Vulnerability

A command argument injection vulnerability exists in the Edge Gateway component of Mitel MiVoice Connect through version 19.3 SP3 (22.24.5800.0). The flaw arises from insufficient sanitization of parameters passed to gateway commands, allowing an authenticated attacker with elevated privileges and internal network access to inject arbitrary arguments. Affected versions include all releases prior to the patched update [1].

Exploitation

An attacker must be authenticated to the system and possess elevated privileges (e.g., administrative access) along with internal network connectivity to the Edge Gateway. No user interaction or race condition is required. The attacker crafts malicious input to a vulnerable command parameter, which the gateway executes without proper validation, leading to unintended command execution [1].

Impact

Successful exploitation enables the attacker to access sensitive network information (e.g., configuration data, traffic logs) and to generate excessive network traffic, potentially causing denial-of-service conditions or resource exhaustion. The compromise occurs at the gateway level, affecting connected network operations [1].

Mitigation

Mitel has released updated software versions to address this vulnerability. Customers are advised to upgrade to the latest release (beyond 19.3 SP3). No workarounds are documented; contacting Mitel Product Support is recommended for assistance [1]. If no fix is available for legacy deployments, consider network segmentation and access controls to limit exposure.