- A bug in MiVoice MX-ONE granted admin entry
- A vulnerability in MiCollab permits arbitrary command execution
- Patches had been launched for each, so customers ought to replace now
Mitel Networks has patched two necessary vulnerabilities in its merchandise that might be abused to achieve admin entry and deploy malicious code on compromised endpoints.
In a safety advisory, Mitel mentioned it found a critical-severity authentication bypass flaw in MiVoice MX-ONE, its enterprise-grade Unified Communications & Collaboration (UCC) platform. MX-ONE is designed to scale from lots of to over 100,000 customers in a single distributed or centralized SIP-based system, and helps each on‑premises and personal/public cloud deployments.
An improper entry management weak spot was found within the Provisioning Supervisor part, which might enable risk actors to achieve admin entry with out sufferer interplay.
Patches launched
At press time, the bug has not but been assigned a CVE, nevertheless it was given a 9.4/10 (crucial) severity rating.
It impacts variations 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14), and was addressed in variations 7.8 (MXO-15711_78SP0) and seven.8 SP1 (MXO-15711_78SP1).
"Don’t expose the MX-ONE companies on to the general public web. Be sure that the MX-ONE system is deployed inside a trusted community. The chance could also be mitigated by proscribing entry to the Provisioning Supervisor service," Mitel mentioned within the advisory.
The second flaw it mounted is a high-severity SQL injection vulnerability present in MiCollab, the corporate’s collaboration platform. It’s tracked as CVE-2025-52914, and permits risk actors to execute arbitrary SQL database instructions.
Signal as much as the TechRadar Professional e-newsletter to get all the highest information, opinion, options and steerage your corporation must succeed!
The excellent news is that there’s nonetheless no proof that these two flaws have been abused within the wild, so it’s secure to imagine no risk actors discovered it but.
Nevertheless, many cybercriminals merely await the information of a vulnerability to interrupt, betting that many organizations fail to patch their methods on time.
Whereas this considerably reduces the variety of potential victims, it makes compromising the remaining ones rather a lot simpler, and that quantity is usually nonetheless excessive sufficient to offer the risk actors incentive.
Through BleepingComputer
You may also like
- Mitel collaboration software program zero-day strings alongside a beforehand patched vulnerability
- Check out our information to the very best authenticator app
- We've rounded up the very best password managers