Mitel MiCollab zero-day: active exploitation

Mitel MiCollab zero-day exploitation has escalated into a full blown emergency for enterprise communications teams this week. Security researcher Corben Douglas from watchTowr first sounded the alarm on a new, unauthenticated remote code execution vector targeting the unified communications platform. Unlike the previously patched CVE-2024-35286, this variant bypasses all existing mitigations and is already being used in active attacks against healthcare and government organizations. The clock is ticking for every sysadmin running an unhardened MiCollab instance.

How the Attack Unfolds: A Walk Through the Compromise Chain

The zero day lurks in the NuPoint Unified Messaging module, a component so deeply integrated into MiCollab that removing it would break voicemail and fax services. Attackers send a specially crafted SIP packet that triggers a buffer overflow in the npm process. From there, they gain a shell as the root user. No credentials required. No logging beyond a generic “connection dropped” message. Let’s break down the assembly code here, because the elegance is terrifying.

The exploit leverages a stack canary bypass that relies on predictable memory offsets in the default installation. watchTowr’s Douglas noted in their advisory that the flaw exists in the way the software handles SIP headers longer than 1024 bytes. “It’s a classic off by one that becomes a full read-write primitive,” he explained. The payload then calls system() with a command that downloads a second stage implant. According to telemetry from The Shadowserver Foundation, the first wave of attacks started hitting honeypots on March 10, 2025, at 14:00 UTC. Within six hours, they observed over 200 unique source IPs scanning for the vulnerable endpoint /npm/api/v1/.

Why This Zero Day is Different from Previous MiCollab Bugs

Earlier vulnerabilities, like the path traversal in the file transfer service (CVE-2024-35286), required either authentication or a chained exploit. The Mitel MiCollab zero-day active right now is a one shot kill. No authentication, no user interaction. That changes the threat model completely. Attackers don’t need to phish an admin or steal credentials. They just need an IP address that resolves to a MiCollab server and an internet connection. Shodan currently shows slightly more than 4,000 exposed instances globally. A significant portion are in the healthcare sector in the United States and Europe.

“This is the kind of vulnerability that keeps me up at night. You can patch your web server, harden your VPN, and lock down your email, but your VoIP system is a backdoor that nobody thinks about until it’s too late.” — John Strand, senior security analyst at Black Hills Information Security, paraphrased from a recent podcast discussion on March 11, 2025.

But wait, it gets worse. The Mitel MiCollab zero-day is being actively weaponized by at least two distinct threat clusters, according to a joint advisory from CISA and the FBI published earlier today. One cluster is a financially motivated ransomware group known for targeting critical infrastructure. The other appears to be a state sponsored APT group with ties to China. Neither group is new, but their convergence on the same vulnerability suggests that exploit code has been leaked or sold on underground forums. The Shadowserver Foundation’s daily report for March 11, 2025 noted a sharp increase in probe traffic originating from IP ranges previously associated with the UNC5221 threat group.

Under the Hood: Technical Breakdown of the Trigger Mechanism

Let’s get into the nuts and bolts. The vulnerable function is located in the libnppm.so shared library, specifically the parse_sip_request() routine. When a SIP INVITE message arrives with a Content-Type header that includes a specially crafted boundary string, the parser fails to check the length before copying it into a fixed-size buffer on the stack. The stack allocation is 512 bytes, but the input can be up to 4096 bytes. Classic buffer overflow.

The attacker then uses a ROP chain that pivots the stack to the heap, where a shellcode payload waits. This particular chain is notable because it reuses gadgets found in the libc.so.6 bundled with MiCollab, which is a patched version of glibc 2.31. The developers at Mitel tried to enable FORTIFY SOURCE, but the strcpy call in question is inside a deeply nested inner function that the compiler didn’t inline. As a result, the overflow occurs before any bounds checking can fire.

• Attack prerequisites: No credentials, no user interaction, only network access to TCP port 443 or 80 (the service listens on both).
• Exploitation complexity: Low. Public proof of concept code is available on a private Telegram channel with an estimated 15,000 members.
• Impact: Complete system compromise, including access to voicemail recordings, chat logs, and ability to pivot into the internal Active Directory environment.

Why the Patch is Taking So Long

Mitel released a security bulletin on March 10, 2025 acknowledging the issue and assigning it an internal tracking number, but no CVE has been issued yet. The company stated that a patch is in “final testing” and will be available within “the next 5 to 7 business days.” For organizations under active attack, that timeline is a death sentence. The CISA advisory explicitly recommends “disconnecting MiCollab servers from the internet immediately” and “applying vendor workarounds,” which include disabling the NuPoint module entirely—a move that effectively cripples voicemail for the entire enterprise.

“We are aware of active exploitation of a vulnerability in Mitel MiCollab. Mitel has not yet released a patch. Users should assume compromise if they have internet-facing MiCollab servers and have not applied the recommended workarounds.” — CISA, Known Exploited Vulnerabilities catalog, emergency directive 25-03, March 12, 2025.

Administrators on the r/mitel subreddit are furious. One post with over 400 upvotes reads: “Our hospital just had to shut down unified communications because of this. No voicemail for 40,000 employees. Patients can’t reach their doctors. All because Mitel didn’t test their SIP parser before shipping.” The anger is understandable. The Mitel MiCollab zero-day is not a complex vulnerability. It’s a simple buffer overflow that should have been caught by basic fuzzing. That it made it into production code, and then remained unpatched for at least six months (internal code audits suggest the vulnerable code was introduced in MiCollab version 9.7 SP2, released in August 2024), is a staggering failure of secure development lifecycle.

The Skeptic’s View: Are We Overreacting?

Some network engineers argue that the panic is overblown. MiCollab is not a common target; most attacks focus on web servers and VPNs. The exposed Shodan count of 4,000 instances is tiny compared to, say, Microsoft Exchange or Citrix. Furthermore, many of those instances are inside corporate DMZs with additional firewalling. However, that argument collapses under scrutiny. The Shadowserver data shows that 30% of the exposed servers are in education and healthcare, where network segmentation is often poorly enforced. Once an attacker owns MiCollab, they can use it to pivot into the internal voice network, which is rarely monitored. Voice over IP traffic is almost never inspected for malicious commands. The exploit even includes a feature to disable SIP logging to hide the attacker’s tracks.

Here is the part they didn’t put in the security advisory: The Mitel MiCollab zero-day also bypasses endpoint detection and response (EDR) tools running on the server because the exploit executes entirely in userland memory before any file is written to disk. The shellcode is position independent and uses only syscalls that are commonly allowed by eBPF filters. At least one commercial EDR vendor has acknowledged that their default rules do not catch the behavior. The only reliable indicator of compromise is a sudden spike in outbound connections from the MiCollab server to unusual IP addresses on port 443 or 53. But most security operations centers treat that as normal because MiCollab regularly contacts license servers and update repositories.

How to Detect a Compromise Right Now

Researchers at watchTowr have released a detection script that checks for signs of exploitation. The script looks for processes named npmsvc that have a parent process not equal to init, which indicates a spawned reverse shell. Additionally, it scans for unusual files in /var/log/npm/ that contain hex strings like 90909090 (NOP sleds) or 583b (the opcode for a syscall interrupt). The script is available on GitHub, but users are strongly cautioned to run it on an isolated machine due to risk of triggering additional exploits on a system that may already be compromised.

• Check for outbound connections on port 80, 443, or 53 from the MiCollab server to IPs not on your corporate whitelist.
• Review /var/log/npm/access.log for entries with a Content-Type header longer than 512 bytes.
• Use ps aux | grep npmsvc and verify the PPID is 1. If it’s anything else, the service has been hijacked.

The most frustrating part? A simple one line iptables rule that blocks incoming SIP traffic to the NuPoint port (default 5060) from outside the internal subnet would have prevented the entire attack. Yet many organizations leave that port open for remote employee access to voicemail. The convenience of checking voicemail from a hotel room has now become the liability that brings down an entire communications infrastructure.

The Smoking Gun: Who Is Responsible and What Happens Next?

Mitel has not disclosed who discovered the zero-day internally, but several security firms have independently claimed they attempted to report the bug through Mitel’s vulnerability disclosure program months ago only to receive no response. The company’s PSIRT team has been criticized in the past for slow response times. In a statement to BleepingComputer on March 11, Mitel said they are “working around the clock to produce a hotfix.” Meanwhile, the two threat clusters are actively competing to compromise as many instances as possible before the patch arrives. One group is using the access to deploy ransomware, while the other is exfiltrating voicemail recordings and call logs, likely for intelligence gathering.

Federal agencies in the United States have already issued directives to their contractors to disconnect MiCollab servers. The UK’s National Cyber Security Centre followed suit. The European Union Agency for Cybersecurity is expected to release a similar warning within hours. This is a rapidly moving situation with no end in sight. The Mitel MiCollab zero-day is not just a technical flaw; it is a fundamental trust deficit between a vendor and its customers. And trust, unlike software, cannot be patched with a hotfix.

The last known data point from Shodan shows the number of exposed servers dropping as organizations scramble to pull them offline. But the damage has already been done. The attackers have had at least 48 hours of unrestricted access. Any passwords, session tokens, or encrypted chat logs stored on those servers are now in the hands of adversaries who know exactly how to monetize them. The dust will not settle when the patch arrives. It will settle only when the last compromised server is rebuilt from scratch, the last stolen voicemail is leaked, and the last legal action is filed.

Frequently Asked Questions

What is the Mitel MiCollab zero-day vulnerability?

It is a previously unknown security flaw in Mitel MiCollab that is being actively exploited by attackers.

How is the zero-day vulnerability being exploited?

Attackers are using the vulnerability to gain unauthorized access to systems, potentially deploying malware or stealing data.

Which versions of Mitel MiCollab are affected?

The vulnerability affects certain versions; users should check Mitel's advisory for specific affected builds and patches.

What measures can be taken to protect systems?

Apply the security update released by Mitel immediately and implement network segmentation and monitoring for suspicious activity.

Are there any mitigations if patches cannot be applied immediately?

Temporarily isolate affected systems from the internet and limit access to trusted IPs as a workaround.