Mitel Addresses Critical Authentication Bypass Vulnerability in MiVoice MX-ONE
TL;DR
Mitel has addressed a critical authentication bypass vulnerability in its MiVoice MX-ONE system, which could allow unauthorized access to user or admin accounts. The flaw, with a CVSS score of 9.4, has been patched in the latest updates. Additionally, Mitel has fixed an SQL injection vulnerability in MiCollab.
Mitel Patches Critical Authentication Bypass Flaw in MiVoice MX-ONE
Mitel has addressed a critical authentication bypass vulnerability in its MiVoice MX-ONE system. This flaw, with a CVSS score of 9.4, allows attackers to exploit weak access controls and gain unauthorized access to user or admin accounts.
Vulnerability Details
The vulnerability resides in the Provisioning Manager component of Mitel MiVoice MX-ONE. According to the advisory published by Mitel:
“An authentication bypass vulnerability has been identified in the Provisioning Manager component of Mitel MiVoice MX-ONE, which if successfully exploited could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper access control. A successful exploit of this vulnerability could allow an attacker to gain unauthorized access to user or admin accounts in the system.”
Affected Versions and Patches
The flaw impacts MiVoice MX-ONE versions from 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14). Mitel has released patches MXO-15711_78SP0 and MXO-15711_78SP1 for MiVoice MX-ONE versions 7.8 and 7.8 SP1, respectively.
Recommendations
Mitel advises users to keep the MiVoice MX-ONE system off the public internet and run it in a trusted network. The company also suggests limiting access or disabling the Provisioning Manager service according to KMS guidance.
Additional Vulnerability: SQL Injection in MiCollab
Mitel has also addressed an SQL injection vulnerability in MiCollab, tracked as CVE-2025-52914 with a CVSS score of 8.8. According to the advisory:
“An SQL vulnerability has been identified in the Suite Applications Services component of Mitel MiCollab, which if successfully exploited could allow an authenticated attacker to conduct an SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to access user provisioning information and execute arbitrary SQL database commands with potential impacts on the confidentiality, integrity, and availability of the system.”
Follow for More Updates
For the latest updates on cybersecurity news, follow @securityaffairs on Twitter, Facebook, and Mastodon.
For more details, visit the full article: source
Conclusion
Mitel’s prompt action in addressing these critical vulnerabilities underscores the importance of regular security updates and vigilant monitoring. Users are urged to apply the patches immediately to protect their systems from potential threats.