Mitel has released security updates to address a critical security flaw in MiVoice MX-ONE that could allow an attacker to bypass authentication protections.
“An authentication bypass vulnerability has been identified in the Provisioning Manager component of Mitel MiVoice MX-ONE, which, if successfully exploited, could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper access control,” the company said in an advisory released Wednesday.
“A successful exploit of this vulnerability could allow an attacker to gain unauthorized access to user or admin accounts in the system.”
The shortcoming, which is yet to be assigned a CVE identifier, carries a CVSS score of 9.4 out of a maximum of 10.0. It affects MiVoice MX-ONE versions from 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14).
Patches for the issue have been made available in MXO-15711_78SP0 and MXO-15711_78SP1 for MX-ONE versions 7.8 and 7.8 SP1, respectively. Customers using MiVoice MX-ONE version 7.3 and above are recommended to submit a patch request to their authorized service partner.
As mitigations until fixes can be applied, it’s advised to limit direct exposure of MX-ONE services to the public internet and ensure that they are placed within a trusted network.
Along with the authentication bypass flaw, Mitel has shipped updates to resolve a high-severity vulnerability in MiCollab (CVE-2025-52914, CVSS score: 8.8) that, if successfully exploited, could permit an authenticated attacker to carry out an SQL injection attack.
“A successful exploit could allow an attacker to access user provisioning information and execute arbitrary SQL database commands with potential impacts on the confidentiality, integrity, and availability of the system,” Mitel said.
The vulnerability, which impacts MiCollab versions 10.0 (10.0.0.26) to 10.0 SP1 FP1 (10.0.1.101) and 9.8 SP3 (9.8.3.1) and earlier, has been resolved in versions 10.1 (10.1.0.10), 9.8 SP3 FP1 (9.8.3.103), and later.
With shortcomings in Mitel devices coming under active attacks in the past, it’s essential that users move quickly to update their installations as soon as possible to mitigate potential threats.
