- A bug in MiVoice MX-ONE granted admin entry
- A vulnerability in MiCollab permits arbitrary command execution
- Patches have been launched for each, so customers ought to replace now
Mitel Networks has patched two necessary vulnerabilities in its merchandise that could possibly be abused to realize admin entry and deploy malicious code on compromised endpoints.
In a safety advisory, Mitel mentioned it found a critical-severity authentication bypass flaw in MiVoice MX-ONE, its enterprise-grade Unified Communications & Collaboration (UCC) platform. MX-ONE is designed to scale from a whole lot to over 100,000 customers in a single distributed or centralized SIP-based system, and helps each on‑premises and personal/public cloud deployments.
An improper entry management weak spot was found within the Provisioning Supervisor element, which may enable risk actors to realize admin entry with out sufferer interplay.
Patches launched
At press time, the bug has not but been assigned a CVE, nevertheless it was given a 9.4/10 (crucial) severity rating.
It impacts variations 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14), and was addressed in variations 7.8 (MXO-15711_78SP0) and seven.8 SP1 (MXO-15711_78SP1).
“Don’t expose the MX-ONE providers on to the general public web. Make sure that the MX-ONE system is deployed inside a trusted community. The chance could also be mitigated by limiting entry to the Provisioning Supervisor service,” Mitel mentioned within the advisory.
The second flaw it fastened is a high-severity SQL injection vulnerability present in MiCollab, the corporate’s collaboration platform. It’s tracked as CVE-2025-52914, and permits risk actors to execute arbitrary SQL database instructions.
The excellent news is that there’s nonetheless no proof that these two flaws have been abused within the wild, so it’s protected to imagine no risk actors discovered it but.
Nonetheless, many cybercriminals merely anticipate the information of a vulnerability to interrupt, betting that many organizations fail to patch their techniques on time.
Whereas this considerably reduces the variety of potential victims, it makes compromising the remaining ones loads simpler, and that quantity is usually nonetheless excessive sufficient to offer the risk actors incentive.
Through BleepingComputer
