Hackers Can Exploit Mitel SIP Phone Vulnerabilities to Run Malicious Commands

Mitel’s widely deployed SIP phones, including the 6800, 6900, 6900w Series, and the 6970 Conference Unit, have been discovered to contain critical security vulnerabilities that could allow hackers to execute arbitrary commands and upload malicious files, potentially putting thousands of enterprise communications systems at risk.

Security researchers have identified a severe command injection flaw (CVE-2025-47188) in multiple Mitel SIP phone models.

This vulnerability stems from insufficient sanitization of parameters within the device’s web management interface.

As a result, an unauthenticated attacker with network access can exploit the flaw remotely, without any user interaction, to inject and execute malicious system commands on affected phones.

The command injection vulnerability is rated as critical, with a CVSS 3.1 score of 9.8, reflecting the ease with which attacks can be launched-no authentication or elevated privileges are required and no user interaction is necessary.

Upon successful exploitation, attackers could gain control over the device, exfiltrate sensitive configuration data, alter system settings, and potentially disrupt phone operations.

This level of access could be used as a foothold to pivot deeper into enterprise networks, enabling lateral movement and wider compromise.

Medium-Severity File Upload Weakness

In addition to the command injection flaw, a medium-severity unauthenticated file upload vulnerability (CVE-2025-47187) was also disclosed.

This issue arises from improper authentication mechanisms around the phone’s file upload functionality, allowing attackers to upload arbitrary WAV files to the device’s storage.

While this would not directly impact device operation or availability, it could be abused to exhaust device storage, cause administrative headaches, or further enable social engineering or denial-of-service attacks. This vulnerability holds a CVSS score of 5.3, categorizing it as medium risk.

Affected Devices and Urgent Mitigation Steps

The vulnerabilities affect all Mitel 6800, 6900, and 6900w Series SIP Phones, as well as the 6970 Conference Unit running firmware version R6.4.0.SP4 or earlier.

Both vulnerabilities require the attacker to have network access to the device, underscoring Mitel’s long-standing deployment recommendation to keep SIP phones on protected internal networks.

However, enterprise environments with expansive internal networks and insufficient network segmentation may still be at heightened risk.

According to the Report, Mitel has issued a critical advisory urging all customers to upgrade immediately to firmware version R6.4.0.SP5 or later, where both flaws have been addressed.

Customers unable to update promptly have been advised to refer to the company’s official Knowledge Base article SO8496 for potential workarounds and interim mitigations.

These mitigation steps, while not detailed in the advisory, likely include strict network access controls and disabling remote management interfaces where practical.

The vulnerabilities were responsibly disclosed by Marc Bollhalder of InfoGuard Labs, highlighting the ongoing risk posed by inadequate input validation and authentication controls in widely used IoT and VoIP devices.

Given the critical nature of the command injection flaw, rapid patching is strongly encouraged, particularly as exploitation techniques for such bugs are typically trivial for attackers to automate and scale.

Organizations that deploy Mitel’s SIP phones should immediately audit device firmware versions, restrict network access where possible, and monitor for abnormal device behavior that could indicate compromise.

Mitel customers who do not have direct support access are instructed to contact their authorized partners or Open SIP Support for further guidance.

Full details, including remediation steps and CVE references, are available via Mitel’s official security advisory portal.

As threats to enterprise communications infrastructure continue to evolve, this incident is a stark reminder of the importance of regular patch management, network segmentation, and minimizing exposure of management interfaces-even for devices designed to reside inside the perimeter.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates