Canadian telecommunication giant Mitel Networks patched serious vulnerabilities across different products. One of these includes a critical auth bypass flaw in the Mitel MiVoice MX-ONE communication platform, requiring urgent attention from the users to ensure they update their systems promptly.
An Auth Bypass Flaw Affected Mitel MiVoice MX-ONE
According to the details shared in an advisory, a critical authentication bypass vulnerability affected the security of Mitel MiVoice MX-ONE. Exploiting this vulnerability, as evident, would allow an unauthenticated adversary to gain access to admin or user accounts in the target system.
MiVoice MX-ONE is a business communication platform from Mitel, a Canadian communications, networking, and technology giant offering a range of communication solutions. MiVoice MX-ONE offers users a secure communications platform, supporting text messages, video calls, and integration for different collaboration tools.
Sharing the details about the auth bypass flaw in MiVoice MX-ONE, the advisory reads,
An authentication bypass vulnerability has been identified in the Provisioning Manager component of Mitel MiVoice MX-ONE, which if successfully exploited could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper access control.
This vulnerability received a critical severity rating and a CVSS score of 9.4. It affects MiVoice MX-ONE versions 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14). The firm has patched the vulnerability with MXO-15711_78SP0 and MXO-15711_78SP1 for MX-ONE versions 7.8 & 7.8 SP1, respectively.
Mitel also urged users to update their systems with the patched releases to receive the fixes. In cases where an immediate update isn’t possible, users should consider restricting access to the Provisioning Manager and should ensure pulling the systems off the internet to avoid direct online exposure.
SQL Injection Patched In Mitel MiCollab
Alongside patching MiVoice MX-ONE, Mitel also addressed another serious vulnerability in MiCollab – another communication solution for businesses. It offers various communication tools to support business needs, such as web conferencing and CRM integration, to enhance productivity and team collaboration.
As described in an advisory, an SQL injection vulnerability existed in the platform’s Suite Applications Services component. An authenticated adversary could exploit the flaw to execute arbitrary commands.
An SQL vulnerability has been identified in the Suite Applications Services component of Mitel MiCollab, which if successfully exploited could allow an authenticated attacker to conduct an SQL Injection attack due to insufficient validation of user input.
A successful exploit could allow an attacker to access user provisioning information and execute arbitrary SQL database commands with potential impacts on the confidentiality, integrity, and availability of the system.
This vulnerability, identified as CVE-2025-52914, received a high severity rating with a CVSS score of 8.8. It affected MiCollab versions 10.0 (10.0.0.26) to 10.0 SP1 FP1 (10.0.1.101), and 9.8 SP3 (9.8.3.1) and earlier. The firm patched the vulnerability with the releases 10.1 (10.1.0.10), 9.8 SP3 FP1 (9.8.3.103), urging users to upgrade. Alternatively, users may update their systems with the specific patches for 10.0 SP1 FP1 (10.0.1.101) and 9.8 SP3 (9.8.3.1) releases.
Mitel credited the researcher, Jasper Korten of Bureau Veritas Cybersecurity for reporting this flaw.
Let us know your thoughts in the comments.