CVE-2024-37569

Name of the Vulnerable Software and Affected Versions: Mitel 6869i versions 4.5.0.41 and earlier Mitel 6869i versions 5.x through 5.0.0.1018

Description: A command injection issue exists in the hostname parameter taken in by the "provis.html" endpoint. The "provis.html" endpoint performs no sanitization on the hostname parameter, which is subsequently written to disk. During boot, the hostname parameter is executed as part of a series of shell commands. Attackers can achieve remote code execution in the root context by placing shell metacharacters in the hostname parameter.

Recommendations: For Mitel 6869i versions 4.5.0.41 and earlier, consider disabling access to the "provis.html" endpoint until a patch is available. For Mitel 6869i versions 5.x through 5.0.0.1018, restrict the use of the hostname parameter in the "provis.html" endpoint to minimize the risk of exploitation. As a temporary workaround, consider implementing input validation and sanitization for the hostname parameter to prevent command injection attacks.