CVE-2025-47187 is a high-severity vulnerability affecting Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones up to version 6.4 SP4 (R6.4.0.4006), as well as the Mitel 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1 R0.1.0. The vulnerability arises from a missing authentication mechanism that allows an unauthenticated attacker to perform a file upload attack. Specifically, the attacker can upload arbitrary WAV audio files to the affected devices without any authentication or user interaction. This vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The primary impact is the potential exhaustion of the device’s storage capacity by uploading large or numerous WAV files. Although the phones continue to operate normally and their availability is not directly affected, the storage exhaustion could lead to indirect operational issues, such as inability to store legitimate audio files or logs, and may degrade device performance over time. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N, I:N), but high impact on availability (A:H). There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability affects a widely deployed line of enterprise SIP phones and conference units, which are commonly used in corporate telephony infrastructures. The lack of authentication on the file upload interface represents a significant security oversight that could be leveraged by attackers to disrupt telephony services or create denial-of-service conditions indirectly by filling device storage.

For European organizations, this vulnerability poses a risk primarily to the availability and operational reliability of telephony infrastructure. Mitel phones are widely used in enterprise environments across Europe, including in sectors such as finance, government, healthcare, and telecommunications. An attacker exploiting this vulnerability could upload large WAV files to devices, potentially exhausting storage and causing degradation in call recording, voicemail, or conference functionalities. While the phones remain operational, the storage exhaustion could prevent legitimate audio data from being saved, impacting business communications and compliance with recording regulations. Additionally, the presence of unauthorized files could complicate forensic investigations or incident response. Given that the attack requires no authentication and can be performed remotely over the network, organizations with exposed or poorly segmented VoIP infrastructure are at higher risk. This could lead to service disruptions, increased support costs, and potential reputational damage. The lack of known exploits currently provides a window for proactive mitigation before active exploitation occurs.

1. Network Segmentation: Isolate Mitel SIP phones and conference units on dedicated VLANs with strict access controls to limit exposure to untrusted networks. 2. Access Control Lists (ACLs): Implement ACLs on network devices to restrict access to the management and file upload interfaces of the affected phones only to trusted IP addresses or subnets. 3. Monitoring and Logging: Enable detailed logging on telephony infrastructure to detect unusual file upload activity or storage usage spikes. 4. Firmware Updates: Monitor Mitel’s official channels for security patches addressing this vulnerability and apply updates promptly once available. 5. Disable Unused Services: If possible, disable or restrict the file upload functionality on affected devices until a patch is applied. 6. Incident Response Preparation: Develop and test incident response plans specific to telephony infrastructure to quickly address potential exploitation. 7. Vendor Engagement: Engage with Mitel support to obtain guidance or interim mitigations and confirm device versions in use. 8. Network Intrusion Detection: Deploy IDS/IPS solutions with signatures or anomaly detection tuned to identify unauthorized file upload attempts targeting SIP phones. These measures go beyond generic advice by focusing on network-level controls, proactive monitoring, and vendor coordination tailored to the specific nature of the vulnerability.