CVE-2024-37570: Command Injection
First published: Sun Jun 09 2024(Updated: )
On Mitel 6869i 4.5.0.41 devices, the Manual Firmware Update (upgrade.html) page does not perform sanitization on the username and path parameters (sent by an authenticated user) before appending flags to the busybox ftpget command. This leads to $() command execution.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Mitel 6869i SIP Phone | =4.5.0.41 | |
| Mitel 6869i SIP Phone |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-37570?
CVE-2024-37570 is classified as a critical vulnerability due to the potential for authenticated remote command execution.
How do I fix CVE-2024-37570?
To fix CVE-2024-37570, update the Mitel 6869i SIP Firmware to a version that properly sanitizes input on the Manual Firmware Update page.
Who is affected by CVE-2024-37570?
CVE-2024-37570 affects Mitel 6869i devices running firmware version 4.5.0.41.
What kind of attack can be executed through CVE-2024-37570?
CVE-2024-37570 allows for command injection attacks due to inadequate input sanitization.
Is user authentication required for exploiting CVE-2024-37570?
Yes, an authenticated user is required to exploit CVE-2024-37570 through the Manual Firmware Update page.
- agent/references
- agent/first-publish-date
- agent/type
- agent/description
- agent/author
- agent/severity
- agent/weakness
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/mitel
- canonical/mitel 6869i sip phone
- version/mitel 6869i sip phone/4.5.0.41