Attackers are increasingly capitalizing on newly disclosed vulnerabilities within hours of proof-of-concept (PoC) code becoming public. This shrinking timeline leaves defenders with little time to react. A recent example is the rapid response to two Mitel MiCollab vulnerabilities — CVE-2024-41713 (authentication bypass) and CVE-2024-35286 (SQL injection). On December 5, GreyNoise was ready. The same day the PoC went public, GreyNoise began observing attacker activity, demonstrating the speed at which threat actors exploit new information. 

Timeline: From Disclosure to Observed Activity 

  • May 2024: CVE-2024-35286, the SQL injection vulnerability, is patched by Mitel. 
  • October 2024: CVE-2024-41713, an authentication bypass vulnerability, is disclosed. No PoC or large-scale visible activity is observed at this time. 
  • December 5, 2024: PoC code is publicly released for CVE-2024-41713, chaining it with another vulnerability. GreyNoise immediately deploys detection tags for both CVEs and begins observing attacker activity, including reconnaissance or exploitation, within hours. 

Seeing the Activity: Data from GreyNoise

The following screenshots from GreyNoise’s Visualizer show unique IP addresses associated with attacker activity following the PoC release. These spikes coincide with the deployment of detection tags, providing a clear picture of how quickly attackers respond to new exploit information. 

Leveraging our IP blocklists, GreyNoise customers can immediately block IPs targeting these vulnerabilities. 

CVE-2024-41713 (Authentication Bypass):

The chart below shows unique IP addresses probing for CVE-2024-41713 on December 5, immediately after the PoC release. This activity demonstrates attacker interest, highlighting how quickly attackers act on new exploit opportunities. For defenders, this means prioritizing visibility and mitigation immediately after public disclosures.  

 

CVE-2024-35286 (SQL Injection): 

While the SQL injection vulnerability showed limited activity, it’s important to monitor for potential escalation. Even low activity levels can indicate attackers testing the waters, making proactive mitigation essential. 

Addressing the Threat: Patches Are Available 

Both vulnerabilities have been addressed by Mitel: 

  • CVE-2024-35286: Mitel released a patch in May 2024. Organizations should apply this fix immediately to mitigate risk. 
  • CVE-2024-41713: Mitel resolved this issue in MiCollab version 9.6, released in October 2024. Upgrading to this version or later is essential. 

By applying these patches, organizations can reduce their exposure to attacker activity. 

The Value of Real-Time Intelligence 

The divergence between predicted exploit likelihood and real-world attacker behavior highlights the necessity for real-time threat intelligence. Predictive models like EPSS currently list both CVEs at 0% likelihood of exploitation, yet GreyNoise’s data provides concrete evidence of attacker activity. This underscores a critical reality: attackers act on opportunities as soon as they arise, often outpacing static predictions. 

With GreyNoise, defenders can: 

  • Gain Immediate Visibility: Real-time data shows attacker activity targeting vulnerabilities as it happens.
  • Prioritize Effectively: Knowing where attackers are focusing their efforts helps defenders allocate resources wisely. 
  • Preempt Escalation: Use GreyNoise blocklists and intelligence feeds to disrupt attacker workflows before reconnaissance escalates into exploitation. 

Recommendations for Defenders

Organizations leveraging Mitel MiCollab should act quickly: 

  1. Apply Available Patches: Ensure that fixes for both CVEs are implemented without delay. 
  2. Leverage Real-Time Monitoring: Use platforms like GreyNoise to stay informed about attacker activity targeting your infrastructure.
  3. Adopt Layered Defenses: Implement network segmentation, access controls, and continuous monitoring to reduce exposure and contain potential breaches. 
  4. Proactively Block Malicious IPs: Leverage real-time intelligence to identify threat actor IPs and dynamically block them.

Staying Ahead of the Curve

The Mitel MiCollab vulnerabilities demonstrate the importance of rapid response in cybersecurity. While defenders cannot always predict when attackers will act, real-time visibility ensures they can respond effectively to reconnaissance or exploitation efforts as they emerge. GreyNoise’s ability to deploy detection tags on the same day as the PoC release exemplifies its commitment to staying ahead of attackers. This readiness is crucial in a world where the window between disclosure and active attacker activity continues to shrink. By detecting reconnaissance or exploitation efforts within hours, GreyNoise gives defenders the critical lead time needed to respond effectively. 

The insights in this blog were made possible by GreyNoise’s Global Observation Grid, a network of internet-facing, primary sensors that passively observe and analyze global attack traffic. GreyNoise recently announced significant enhancements to its sensor and data pipeline technology that deliver deeper insights and broader coverage into cyber threats, equipping security teams with actionable intelligence to better detect, prioritize, and respond to emerging and resurgent threats.

Stay ahead of emerging threats with GreyNoise’s real-time intelligence. Contact us today to learn how we can help protect your organization from evolving vulnerabilities.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account