Mitel warns critical security flaw could let hackers completely bypass logins

News
By published

Two major Mitel vulnerabilities patched

A hacker wearing a hoodie sitting at a computer, his face hidden.
(Image credit: Shutterstock / Who is Danny)
  • A bug in MiVoice MX-ONE granted admin access
  • A vulnerability in MiCollab allows arbitrary command execution
  • Patches were released for both, so users should update now

Mitel Networks has patched two important vulnerabilities in its products that could be abused to gain admin access and deploy malicious code on compromised endpoints.

In a security advisory, Mitel said it discovered a critical-severity authentication bypass flaw in MiVoice MX-ONE, its enterprise-grade Unified Communications & Collaboration (UCC) platform. MX-ONE is designed to scale from hundreds to over 100,000 users in a single distributed or centralized SIP-based system, and supports both on‑premises and private/public cloud deployments.

An improper access control weakness was discovered in the Provisioning Manager component, which could allow threat actors to gain admin access without victim interaction.

Patches released

At press time, the bug has not yet been assigned a CVE, but it was given a 9.4/10 (critical) severity score.

It affects versions 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14), and was addressed in versions 7.8 (MXO-15711_78SP0) and 7.8 SP1 (MXO-15711_78SP1).

"Do not expose the MX-ONE services directly to the public internet. Ensure that the MX-ONE system is deployed within a trusted network. The risk may be mitigated by restricting access to the Provisioning Manager service," Mitel said in the advisory.

The second flaw it fixed is a high-severity SQL injection vulnerability found in MiCollab, the company’s collaboration platform. It is tracked as CVE-2025-52914, and allows threat actors to execute arbitrary SQL database commands.

The good news is that there is still no evidence that these two flaws have been abused in the wild, so it’s safe to assume no threat actors found it yet.

However, many cybercriminals simply wait for the news of a vulnerability to break, betting that many organizations fail to patch their systems on time.

While this somewhat reduces the number of potential victims, it makes compromising the remaining ones a lot easier, and that number is often still high enough to give the threat actors incentive.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.