Mitel 6800 / 6900 / 6900w Series SIP Phone Argument Injection Vulnerability (CVE-2024-41710)

high Nessus Plugin ID 327410

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

According to its self-reported version, the remote Mitel IP Phone running SIP Software is affected by an argument injection vulnerability:

- A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, through R6.4.0.HF1 (R6.4.0.136) could allow an authenticated attacker with administrative privilege to conduct an argument injection attack, due to insufficient parameter sanitization during the boot process. A successful exploit could allow an attacker to execute arbitrary commands within the context of the system. (CVE-2024-41710)

Please see the included Mitel Product Security Advisory for more information.

Solution

Upgrade to version R6.4.0.HF2 or later.

See Also

http://www.nessus.org/u?18fd5b1e

http://www.nessus.org/u?54253096

Plugin Details

Severity: High

ID: 327410

File Name: mitel_ip_phone_6_4_0_137.nasl

Version: 1.1

Type: Remote

Family: Misc.

Published: 7/16/2026

Updated: 7/16/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.7

Percentile: 99.1

CVSS v2

Risk Factor: High

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2024-41710

CVSS v3

Risk Factor: High

Base Score: 7.2

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2024-41710

Vulnerability Information

CPE: x-cpe:/h:mitel:ip_phone, x-cpe:/o:mitel:sip_firmware

Required KB Items: installed_sw/Mitel IP Phone

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/17/2024

Vulnerability Publication Date: 7/17/2024

Reference Information

CVE: CVE-2024-41710

CWE: 88