- A bug in MiVoice MX-ONE granted admin access
- A vulnerability in MiCollab allows arbitrary command execution
- Patches were released for both, so users should update now
Mitel Networks has patched two important vulnerabilities in its products that could be abused to gain admin access and deploy malicious code on compromised endpoints.
In a security advisory, Mitel said it discovered a critical-severity authentication bypass flaw in MiVoice MX-ONE, its enterprise-grade Unified Communications & Collaboration (UCC) platform. MX-ONE is designed to scale from hundreds to over 100,000 users in a single distributed or centralized SIP-based system, and supports both on‑premises and private/public cloud deployments.
An improper access control weakness was discovered in the Provisioning Manager component, which could allow threat actors to gain admin access without victim interaction.
Patches released
At press time, the bug has not yet been assigned a CVE, but it was given a 9.4/10 (critical) severity score.
It affects versions 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14), and was addressed in versions 7.8 (MXO-15711_78SP0) and 7.8 SP1 (MXO-15711_78SP1).
"Do not expose the MX-ONE services directly to the public internet. Ensure that the MX-ONE system is deployed within a trusted network. The risk may be mitigated by restricting access to the Provisioning Manager service," Mitel said in the advisory.
The second flaw it fixed is a high-severity SQL injection vulnerability found in MiCollab, the company’s collaboration platform. It is tracked as CVE-2025-52914, and allows threat actors to execute arbitrary SQL database commands.
The good news is that there is still no evidence that these two flaws have been abused in the wild, so it’s safe to assume no threat actors found it yet.
However, many cybercriminals simply wait for the news of a vulnerability to break, betting that many organizations fail to patch their systems on time.
While this somewhat reduces the number of potential victims, it makes compromising the remaining ones a lot easier, and that number is often still high enough to give the threat actors incentive.
Via BleepingComputer
You might also like
- Mitel collaboration software zero-day strings along a previously patched vulnerability
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
