Overview

Mitel has issued urgent security updates to address a critical authentication bypass vulnerability in its MiVoice MX-ONE systems, potentially allowing attackers to gain unauthorized access to user and admin accounts.

Technical Details

  • Vulnerability Type: Authentication Bypass
  • Component Affected: Provisioning Manager in MiVoice MX-ONE
  • CVSS Score: 9.4 (Critical)
  • Cause: Improper access control
  • Impact: Full system access without authentication

Additionally, a high-severity SQL injection flaw was found in MiCollab, which could allow authenticated attackers to execute arbitrary SQL commands, compromising system confidentiality, integrity, and availability.

  • MiCollab CVE: CVE-2025-52914
  • CVSS Score: 8.8
  • Impact: Access to user provisioning data and database manipulation

 

Affected Devices

  • MiVoice MX-ONE Versions:
    • 7.3 (7.3.0.0.50) up to 7.8 SP1 (7.8.1.0.14)
  • MiCollab Versions:
    • 10.0 (10.0.0.26)
    • 10.0 SP1 FP1 (10.0.1.101)
    • 9.8 SP3 (9.8.3.1) and earlier

 

Recommended Remediations

ctrl:cyber recommends immediate patching of the affected devices to prevent exploitation. Until devices are patched, we advice to ensure the devices are within trusted network and public internet exposure is restricted.

  • For MiVoice MX-ONE:
    • Apply patches:
      • MXO-15711_78SP0 (for version 7.8)
      • MXO-15711_78SP1 (for version 7.8 SP1)
    • Users on version 7.3 and above should request patches via authorized service partners.
  • For MiCollab:
    • Upgrade to:
      • Version 10.1 (10.1.0.10)
      • 9.8 SP3 FP1 (9.8.3.103) or later

Sources: The Hacker News, Mitel MiCollab, Mitel MiVoice