Mitel SIP Phones Command Injection & Unauthorized File Upload Vulnerabilities (CVE-2025-4788/4789)

Critical Vulnerability Information Vulnerability Overview Vulnerability IDs: CVE-2025-4788, CVE-2025-4789 Affected Products: - Mitel 6800 Series SIP Phones - Mitel 6900 Series SIP Phones - Mitel 6900w Series SIP Phones - Mitel 6970 Conference Unit Vulnerability Types: - Command Injection Vulnerability (CVE-2025-4788) - Unauthorized File Upload Vulnerability (CVE-2025-4789) Affected Versions Mitel 6800 Series SIP Phones: R6.4.0 SP4 (R6.4.0.4003) and earlier versions Mitel 6900 Series SIP Phones: R6.4.0 SP4 (R6.4.0.4003) and earlier versions Mitel 6900w Series SIP Phones: R6.4.0 SP4 (R6.4.0.4003) and earlier versions Mitel 6970 Conference Unit: R6.4.0 SP4 (R6.4.0.4003) and earlier versions, as well as V1.10.1.0 Remediation Upgrade to the following versions: - Mitel 6800 Series SIP Phones: R6.4.0 SP5 (R6.4.0.5013) or later - Mitel 6900 Series SIP Phones: R6.4.0 SP5 (R6.4.0.5013) or later - Mitel 6900w Series SIP Phones: R6.4.0 SP5 (R6.4.0.5013) or later - Mitel 6970 Conference Unit: R6.4.0 SP5 (R6.4.0.5013) or later, or upgrade to V1.10.2.0 or later Vulnerability Severity Command Injection Vulnerability (CVE-2025-4788): CVSS v3.1 Base Score 9.8 (Critical) Unauthorized File Upload Vulnerability (CVE-2025-4789): CVSS v3.1 Base Score 9.8 (Critical) Mitigation Measures Follow the mitigation instructions in the KMS documentation. For Open SIP customers, contact Open SIP support. Version History 1.0: Initial release on 2025-05-07 2.0: Updated affected products and remediation information on 2025-08-26

Goal Reached Thanks to every supporter — we hit 100%!

Mitel SIP Phones Command Injection & Unauthorized File Upload Vulnerabilities (CVE-2025-4788/4789)