Full Report
A Mirai botnet variant dubbed Aquabot has been observed actively attempting to exploit a medium-severity security flaw impacting Mitel phones in order to ensnare them into a network capable of mounting distributed denial-of-service (DDoS) attacks. The vulnerability in question is CVE-2024-41710 (CVSS score: 6.8), a case of command injection in the boot process that could allow a malicious actor
Analysis Summary
# Vulnerability: Command Injection in Mitel Phones Active in Aquabot Botnet Exploitation
## CVE Details
- CVE ID: CVE-2024-41710
- CVSS Score: 6.8 (Medium)
- CWE: Command Injection
## Affected Systems
- Products: Mitel 6800 Series SIP Phones, Mitel 6900 Series SIP Phones, Mitel 6900w Series SIP Phones, Mitel 6970 Conference Unit.
- Versions: Not explicitly listed in the context, but the flaw was addressed by Mitel in mid-July 2024.
- Configurations: Affects the device boot process.
## Vulnerability Description
CVE-2024-41710 is a command injection vulnerability that exists in the boot process of the affected Mitel phones. Successful exploitation allows an unauthenticated, malicious actor to execute arbitrary commands on the device within the context of the phone's running processes. This is being leveraged by the Aquabot botnet (a Mirai variant) to enroll devices for DDoS operations.
## Exploitation
- Status: Exploited in the wild (Active exploitation attempts detected since early January 2025).
- Complexity: Not explicitly rated, but generally RCE/Command Injection flaws exploited over the network are considered Medium to Low, especially when a PoC exists.
- Attack Vector: Network (Implied by deployment via botnet over the network).
## Impact
- Confidentiality: Unknown/Implied Moderate (Potential for data exposure from the compromised device).
- Integrity: High (Remote command execution allows arbitrary code modification/execution).
- Availability: High (The devices are being enlisted into a DDoS botnet).
## Remediation
### Patches
- Mitel addressed this vulnerability in mid-July 2024. Users should apply the relevant security advisory patch (Mitel Product Security Advisory 24-0019) to update affected devices.
### Workarounds
- No specific workarounds were mentioned in the provided text other than applying the official patch. Limiting network access to these devices where possible may serve as a temporary measure.
## Detection
- **Indicators of Compromise (IOCs):** Successful exploitation leads to the execution of shell scripts that retrieve the Aquabot payload using the `wget` command, often for specific CPU architectures. Infected devices run processes related to the Mirai variant, potentially renaming the process to `httpd.x86`.
- **Detection Methods and Tools:** Network monitoring tools capable of identifying suspicious outbound connections to known C2 infrastructure utilized by the Aquabot botnet or unusual command execution patterns during the boot process of phone devices.
## References
- Vendor Advisory: [https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0019](https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0019) (Defanged: hxxps://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0019)
- PoC Availability: [https://github.com/kwburns/CVE/blob/main/Mitel/6.3.0.1020/README.md](https://github.com/kwburns/CVE/blob/main/Mitel/6.3.0.1020/README.md) (Defanged: hxxps://github.com/kwburns/CVE/blob/main/Mitel/6.3.0.1020/README.md)
- Research Article: [https://thehackernews.com/2025/01/new-aquabot-botnet-exploits-cve-2024-41710.html](https://thehackernews.com/2025/01/new-aquabot-botnet-exploits-cve-2024-41710.html) (Defanged: hxxps://thehackernews.com/2025/01/new-aquabot-botnet-exploits-cve-2024-41710.html)