CVE-2024-37570

Name of the Vulnerable Software and Affected Versions: Mitel 6869i version 4.5.0.41

Description: The issue is related to the Manual Firmware Update (upgrade.html) page, which does not perform sanitization on the username and path parameters sent by an authenticated user. This lack of sanitization leads to $() command execution, allowing a remote attacker to execute arbitrary commands by sending specially crafted POST requests.

Recommendations: For Mitel 6869i version 4.5.0.41, as a temporary workaround, consider disabling access to the Manual Firmware Update (upgrade.html) page until a patch is available. Restrict access to the upgrade.html page to minimize the risk of exploitation. Avoid using the username and path parameters in the affected page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.