Lucene search
+L

Mitel 6800 / 6900 / 6900w Series SIP Phone Argument Injection Vulnerability (CVE-2024-41710)

🗓️ 16 Jul 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 8 Views

Mitel 6800, 6900, and 6900w SIP phones have an argument injection flaw; authenticated administrators can run arbitrary commands during boot.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(327410);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/07/17");

  script_cve_id("CVE-2024-41710");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2025/03/05");

  script_name(english:"Mitel 6800 / 6900 / 6900w Series SIP Phone Argument Injection Vulnerability (CVE-2024-41710)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the remote Mitel IP Phone running SIP Software is affected by an argument 
injection vulnerability:

  - A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, through R6.4.0.HF1 
    (R6.4.0.136) could allow an authenticated attacker with administrative privilege to conduct an argument 
    injection attack, due to insufficient parameter sanitization during the boot process. A successful exploit 
    could allow an attacker to execute arbitrary commands within the context of the system. (CVE-2024-41710)

Please see the included Mitel Product Security Advisory for more information.");
  # https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0019
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?18fd5b1e");
  # https://github.com/kwburns/CVE/blob/main/Mitel/6.3.0.1020/README.md
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?54253096");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version R6.4.0.HF2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-41710");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(88);

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/07/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/07/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/h:mitel:ip_phone");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:mitel:sip_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mitel_ip_phone_sip_detect.nbin");
  script_require_keys("installed_sw/Mitel IP Phone");
  script_require_ports("Services/sip", "Services/udp/sip");

  exit(0);
}

include('vcf_extras_mitel.inc');

var app = 'Mitel IP Phone';

var detected_on = get_kb_list('installed_sw/*/Mitel IP Phone/service/*/SIP/Banner');

var report = '';

var models = {
  '6800': {'constraints': [{'fixed_version' : '6.4.0.137', 'fixed_display' : 'R6.4.0.HF2 (R6.4.0.137)'}]},
  '6900': {'constraints': [{'fixed_version' : '6.4.0.137', 'fixed_display' : 'R6.4.0.HF2 (R6.4.0.137)'}]},
  '6900w': {'constraints': [{'fixed_version' : '6.4.0.137', 'fixed_display' : 'R6.4.0.HF2 (R6.4.0.137)'}]}
};

foreach var item (keys(detected_on))
{
  var portproto = pregmatch(string:item, pattern:'installed_sw/([0-9]+)/Mitel IP Phone/service/([a-z]{3})/SIP/Banner');
  if (!empty_or_null(portproto))
  {
    var port = portproto[1];
    var proto = portproto[2];
    var app_info = vcf::mitel_ip_phone::get_app_info(app:app, port:port, proto:proto);

    report += vcf::mitel_ip_phone::check_version(app_info:app_info, models:models);
  }
}

if (empty_or_null(report))
  audit(AUDIT_HOST_NOT, 'affected');

security_report_v4(
  port:port,
  proto:proto,
  severity:SECURITY_HOLE,
  extra:report
);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Jul 2026 00:00Current
8.6High risk
Vulners AI Score8.6
CVSS 3.16.8 - 7.2
EPSS0.41646
SSVC
8