Security researchers have discovered two critical vulnerabilities in Mitel’s suite of SIP phones, putting users at risk of command execution and malicious file uploads.
The most serious flaw, identified as CVE-2025-47188, affects Mitel’s 6800 Series, 6900 Series, and 6900w Series SIP phones, including the 6970 Conference Unit. With a critical CVSS score of 9.8, this vulnerability allows attackers to execute arbitrary commands on the devices without needing authentication.
This flaw, a command injection vulnerability, arises from insufficient parameter sanitization. If exploited, it could expose sensitive system and user data, impact device availability, and compromise operations. Attackers can execute commands within the phone’s system, potentially taking full control of the device, accessing confidential data, altering configurations, or even making the device inoperable.
Alongside this severe issue, researchers also found a less critical but concerning vulnerability, CVE-2025-47187, with a CVSS score of 5.3. This unauthenticated file upload vulnerability allows attackers to upload arbitrary WAV files, which could fill up the phone’s storage, leading to disruptions.
While the second flaw is less damaging, it still provides a potential entry point for attackers.
Both vulnerabilities affect all versions of the Mitel 6800 Series, 6900 Series, and 6900w Series SIP phones, including the 6970 Conference Unit, running firmware version R6.4.0.SP4 or earlier.
Mitel was alerted to the vulnerabilities by Marc Bollhalder of InfoGuard Labs. This highlights the importance of coordinated vulnerability disclosure in securing telecommunications infrastructure.
Exploitation and Mitigation
The command injection vulnerability exists in the phone’s web interface, where certain parameters are not properly sanitized before being passed to system commands. This allows attackers to inject malicious commands into legitimate requests, which are executed with the privileges of the web server process. These attacks could range from data theft to maintaining persistent access.
An example of exploitation could involve sending a specially crafted HTTP request that appends malicious commands to a legitimate parameter value, such as:
- GET /config?parameter=legitimate_value;malicious_command HTTP/1.1
Mitel has addressed both vulnerabilities in the R6.4.0.SP5 firmware update, released on May 7, 2025. Users of affected devices are strongly advised to upgrade to this version or later to protect against potential attacks.
For those unable to update immediately, Mitel recommends network segmentation to limit access to vulnerable devices and encourages organizations to consult knowledge base article SO8496 for additional mitigation strategies.
