Mitel warns critical security flaw could let hackers completely bypass logins

A bug in MiVoice MX-ONE granted admin access
A vulnerability in MiCollab allows arbitrary command execution
Patches were released for both, so users should update now

Mitel Networks has patched two important vulnerabilities in its products that could be abused to gain admin access and deploy malicious code on compromised endpoints.

In a security advisory, Mitel said it discovered a critical-severity authentication bypass flaw in MiVoice MX-ONE, its enterprise-grade Unified Communications & Collaboration (UCC) platform. MX-ONE is designed to scale from hundreds to over 100,000 users in a single distributed or centralized SIP-based system, and supports both on‑premises and private/public cloud deployments.

An improper access control weakness was discovered in the Provisioning Manager component, which could allow threat actors to gain admin access without victim interaction.

Patches released

At press time, the bug has not yet been assigned a CVE, but it was given a 9.4/10 (critical) severity score.

It affects versions 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14), and was addressed in versions 7.8 (MXO-15711_78SP0) and 7.8 SP1 (MXO-15711_78SP1).

“Do not expose the MX-ONE services directly to the public internet. Ensure that the MX-ONE system is deployed within a trusted network. The risk may be mitigated by restricting access to the Provisioning Manager service,” Mitel said in the advisory.

The second flaw it fixed is a high-severity SQL injection vulnerability found in MiCollab, the company’s collaboration platform. It is tracked as CVE-2025-52914, and allows threat actors to execute arbitrary SQL database commands.

The good news is that there is still no evidence that these two flaws have been abused in the wild, so it’s safe to assume no threat actors found it yet.

However, many cybercriminals simply wait for the news of a vulnerability to break, betting that many organizations fail to patch their systems on time.

While this somewhat reduces the number of potential victims, it makes compromising the remaining ones a lot easier, and that number is often still high enough to give the threat actors incentive.

Via BleepingComputer

What's Hot

Luma launches AI-powered production studio with faith-focused Wonder Project

Factory hits $1.5B valuation to build AI coding for enterprises

Slash, a Ramp competitor founded by teenagers, raises $100M at $1.4B valuation

Conntour raises $7M from General Catalyst, YC to build an AI search engine for security video systems

Delve did the security compliance on LiteLLM, an AI project hit by malware

Databricks bought two startups to underpin its new AI security product

College social app Fizz expands into grocery delivery

A Former Apple Luminary Sets Out to Create the Ultimate GPU Software

The Reason Murderbot’s Tone Feels Off

Most Popular