Close Menu
    Tech Pulse
    Guides

    Mitel warns critical security flaw could let hackers completely bypass logins

    TechurzBy Updated:No Comments2 Mins Read
    A hacker wearing a hoodie sitting at a computer, his face hidden.


    • A bug in MiVoice MX-ONE granted admin access
    • A vulnerability in MiCollab allows arbitrary command execution
    • Patches were released for both, so users should update now

    Mitel Networks has patched two important vulnerabilities in its products that could be abused to gain admin access and deploy malicious code on compromised endpoints.

    In a security advisory, Mitel said it discovered a critical-severity authentication bypass flaw in MiVoice MX-ONE, its enterprise-grade Unified Communications & Collaboration (UCC) platform. MX-ONE is designed to scale from hundreds to over 100,000 users in a single distributed or centralized SIP-based system, and supports both on‑premises and private/public cloud deployments.

    An improper access control weakness was discovered in the Provisioning Manager component, which could allow threat actors to gain admin access without victim interaction.


    You may like

    Patches released

    At press time, the bug has not yet been assigned a CVE, but it was given a 9.4/10 (critical) severity score.

    It affects versions 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14), and was addressed in versions 7.8 (MXO-15711_78SP0) and 7.8 SP1 (MXO-15711_78SP1).

    “Do not expose the MX-ONE services directly to the public internet. Ensure that the MX-ONE system is deployed within a trusted network. The risk may be mitigated by restricting access to the Provisioning Manager service,” Mitel said in the advisory.

    The second flaw it fixed is a high-severity SQL injection vulnerability found in MiCollab, the company’s collaboration platform. It is tracked as CVE-2025-52914, and allows threat actors to execute arbitrary SQL database commands.

    The good news is that there is still no evidence that these two flaws have been abused in the wild, so it’s safe to assume no threat actors found it yet.

    However, many cybercriminals simply wait for the news of a vulnerability to break, betting that many organizations fail to patch their systems on time.

    While this somewhat reduces the number of potential victims, it makes compromising the remaining ones a lot easier, and that number is often still high enough to give the threat actors incentive.

    Via BleepingComputer

    You might also like

    Share.

    Related Posts

    Add A Comment