CVE-2025-23094

High

Published: 06 February 2025

Published

06 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0214 84.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

The Platform component of Mitel OpenScape 4000 and OpenScape 4000 Manager V11 R0.22.0 through V11 R0.22.1, V10 R1.54.0 through V10 R1.54.1, and V10 R1.42.6 and earlier could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit could allow an attacker to execute arbitrary commands within the same privilege level as the web access process.

Security Summary

CVE-2025-23094 is a command injection vulnerability (CWE-77) in the Platform component of Mitel OpenScape 4000 and OpenScape 4000 Manager. It affects versions V11 R0.22.0 through V11 R0.22.1, V10 R1.54.0 through V10 R1.54.1, and V10 R1.42.6 and earlier. The issue stems from insufficient parameter sanitization, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows execution of arbitrary commands at the privilege level of the web access process, potentially leading to limited confidentiality, integrity, and availability impacts.

Mitigation details and patches are outlined in the Mitel Product Security Advisory MISA-2025-0001, available at https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0001.

Details

CWE(s): CWE-77

References

https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0001
cve@mitre.org