CVE-2024-37570 is a command injection vulnerability identified in the Mitel 6869i IP phone firmware version 4.5.0.41. The vulnerability arises from insufficient input sanitization on the Manual Firmware Update web interface, specifically the username and path parameters submitted by authenticated users. These parameters are directly appended to a busybox ftpget command without proper escaping or validation, allowing an attacker to inject shell commands using the $() syntax. This leads to arbitrary command execution on the device, which can compromise the device’s operating system and potentially the broader network environment. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command). The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and requiring only privileges of an authenticated user. No public patches or exploits have been reported yet, but the risk is significant given the device’s role in enterprise telephony infrastructure.

Exploitation of this vulnerability allows an authenticated attacker to execute arbitrary commands on the Mitel 6869i device, potentially leading to full compromise of the device. This can result in unauthorized access to sensitive communications, disruption of telephony services, and pivoting to other internal systems. The impact extends to confidentiality breaches through interception or manipulation of voice data, integrity violations by altering device firmware or configuration, and availability issues by causing device crashes or denial of service. Given the device’s integration in enterprise voice networks, successful exploitation could disrupt critical business communications and expose organizations to espionage or sabotage.

Organizations should immediately verify if they are using Mitel 6869i devices with firmware version 4.5.0.41 and restrict access to the Manual Firmware Update interface to trusted administrators only. Network segmentation should isolate these devices from untrusted networks to reduce exposure. Employ strict access controls and multi-factor authentication for device management interfaces. Monitor device logs for unusual command execution or firmware update activities. Since no official patch is currently available, consider disabling the Manual Firmware Update web page if feasible or applying web application firewall (WAF) rules to detect and block command injection patterns in the username and path parameters. Engage with Mitel support for updates or mitigations and plan for timely firmware upgrades once patches are released.