CVE-2024-42514 is a vulnerability identified in the legacy chat component of Mitel MiContact Center Business versions through 10.1.0.4. The root cause is inadequate access control checks (CWE-284), which allow an unauthenticated attacker to conduct unauthorized access attacks. Specifically, the vulnerability enables attackers to bypass authentication mechanisms and interact with the chat system during an active session, provided that the victim performs some user interaction (e.g., clicking a crafted link or message). The attacker can then access sensitive information exchanged in the chat and send unauthorized messages, potentially misleading users or exfiltrating confidential data. The CVSS v3.1 base score is 8.1 (high), reflecting network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact affects confidentiality and integrity but not availability. No patches or known exploits are currently publicly available, indicating the vulnerability is newly disclosed. The Mitel MiContact Center Business is widely used in enterprise contact centers for customer engagement, making this vulnerability significant for organizations relying on this platform for secure communications.

The vulnerability poses a significant risk to organizations using Mitel MiContact Center Business, particularly those relying on the legacy chat component for customer interactions. Exploitation can lead to unauthorized disclosure of sensitive customer or internal information, undermining confidentiality. Attackers can also send unauthorized messages, potentially causing misinformation, fraud, or reputational damage. Since the attack requires no authentication and can be initiated remotely over the network, the attack surface is broad. The need for user interaction somewhat limits automated exploitation but does not eliminate risk, especially in social engineering scenarios. The integrity of communications is compromised, which can disrupt trust in customer service operations. While availability is not directly impacted, the indirect effects on operational reliability and compliance with data protection regulations can be severe. Organizations may face regulatory penalties, customer loss, and financial damage if exploited.

Organizations should immediately assess their use of Mitel MiContact Center Business, focusing on versions up to 10.1.0.4 that include the legacy chat component. Since no official patches are currently listed, mitigation should include disabling or restricting access to the legacy chat feature if feasible. Network segmentation and firewall rules should limit external access to the chat system to trusted internal networks only. Implement strict monitoring and alerting for unusual chat activity or unauthorized message patterns. Educate users about the risk of interacting with unsolicited or suspicious chat messages to reduce the likelihood of successful user interaction exploitation. Engage with Mitel support for updates or patches and apply them promptly once available. Additionally, conduct regular security assessments and penetration tests focused on contact center components to identify and remediate access control weaknesses. Employ multi-factor authentication and session management improvements where possible to further reduce risk.