Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN373
_____________________________________________________________________

DATE                : 09/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running MiCollab versions prior
                               to 10.2 SP1 (10.2.1.11).

=====================================================================
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2026-0002
_____________________________________________________________________


Mitel Product Security Advisory MISA-2026-0002
MiCollab SQL Injection and Privilege Escalation Vulnerabilities

Advisory ID: MISA-2026-0002

Publish Date: 2026-04-08

Last Updated: 2026-04-08

Revision: 1.0

 
Summary

An SQL injection vulnerability in the Audio, Web and Video Conferencing
(AWV) component of Mitel MiCollab could allow an unauthenticated
attacker to conduct an SQL injection attack due to insufficient
sanitization of user input. A successful exploit of this vulnerability
could allow an attacker to access system or user provisioning
information and execute arbitrary SQL database commands. The
vulnerability severity is rated as critical.

A privilege escalation vulnerability in the Audio, Web and Video
Conferencing (AWV) component of Mitel MiCollab could allow an
authenticated attacker with administrative privilege to conduct a
privilege escalation attack due to resources executing with unnecessary
privileges. A successful exploit of this vulnerability could allow an
attacker with local access to execute arbitrary commands with elevated
privileges. The vulnerability severity is rated as medium.

Exploiting these vulnerabilities together can significantly amplify
their impact.

Mitel is recommending customers with affected product versions update to
the available solutions as soon as feasible.

Credit is given to Almog Biton, independent security researcher, for
highlighting these issues and bringing them to our attention.

 
Affected Products and Solutions

This security advisory provides information on the following products: 

PRODUCT NAME 	VERSION(S) AFFECTED 	SOLUTION(S) AVAILABLE 

MiCollab	Version 10.2 (10.2.0.24) and earlier	Upgrade to
version 10.2 SP1 (10.2.1.11) or subsequent releases.

Alternative Solution: Mitel provided patches are available for releases
10.0 (10.0.0.26) to 10.2 (10.2.0.24), and versions 9.8 (9.8.0.33) to
9.8 SP3 FP1 (9.8.3.103).

See the Security KB article for instructions regarding the upgrade and
the application of the available patches.


Product statements are related only to supported product versions. Products
which have reached End of Support status are not considered.

 
Vulnerability Severity

The following products have been identified as affected: 
PRODUCT NAME 	CVE ID 	SEVERITY 	CVSS 3.1 BASE SCORE 
MiCollab 	CVE requested 	Critical / 9.8	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MiCollab	CVE requested 	Medium / 6.7	AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploiting these vulnerabilities together can significantly amplify their
impact.

 
Mitigations / Workarounds

For customers who are not currently able to upgrade to the latest version in a
timely manner, the risk may be mitigated by following the instructions found in
the security KB article.

 
Solution/ Recommended Action

This issue is addressed in MiCollab 10.2 SP1 (10.2.1.11). Also, Mitel provided
patches are available for releases 10.0 (10.0.0.26) to 10.2 (10.2.0.24), and
versions 9.8 (9.8.0.33) to 9.8 SP3 FP1 (9.8.3.103). Customers are advised to
upgrade to this or subsequent releases.

Please see Mitel Security Knowledge Base article KB000127339, “MiCollab Security
Update - SQL Injection and Privilege Escalation Vulnerabilities”, for detailed
instructions regarding the upgrade and applying the available patches.

If you do not have access to this link, please contact your Mitel Authorized
Partner for support.

For further information, please contact Mitel Product Support.

 
Revision History
Version	Date	Description
1.0	2026-04-08	Initial release

 
Publisher and Legal Disclaimer

Publisher: Mitel PSIRT / [email protected]

The information provided in this advisory is provided "as is" without warranty
of any kind. The information is subject to change without notice. Mitel and its
affiliates do not guarantee and accept no legal liability whatsoever arising
from or connected to the accuracy, reliability, currency or completeness of the
information provided. No part of this document can be reproduced or transmitted
in any form or by any means - electronic or mechanical - for any purpose without
written permission from Mitel Networks Corporation.



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================