Mitel 6800, 6900, and 6900w Series SIP Phones Unauthenticated File Upload Vulnerability

An unauthenticated file upload vulnerability has been identified in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, all running versions through 6.4 SP4. This vulnerability allows an unauthenticated attacker to upload arbitrary WAV files due to missing authentication mechanisms. Exploitation of this vulnerability could lead to storage exhaustion on the affected phones, without disrupting their availability or normal operation.

Impact

Successful exploitation allows for unauthorized file uploads, which could fill the phone's storage capacity, potentially leading to issues with storage management or file handling.

Remediation

Users are advised to upgrade to Mitel 6800 Series, 6900 Series, or 6900w Series SIP Phones version R6.4.0.SP5 (4.0.5013) or later. For the Mitel 6970 Conference Unit, upgrade to version R6.4.0.SP5 (4.0.5013) or version V1 R0.2.0 or later, depending on the product's usage context. Consult the Mitel Knowledge Base article SO8496 for detailed update instructions.