- An error in MIVOICE MX-One assigned administrator access
- A vulnerability in micollab allows the execution of arbitrary command
- Patches were released to both, so users had to update now
Mitel Networks has patched two important vulnerabilities in its products that could be abused to gain administrator access and implement malicious code on compromised final points.
In a security advice, Mitel said it discovered a Critical-Severity Authentication Bypass Error in MIVOICE MX-One, its company quality Unified Communications & Collaboration (UCC) platform. MX-one is designed to scale hundreds to over 100,000 users in a single distributed or centralized SIP-based system and supports both on site and private/public cloud installations.
Incorrect access to access control was discovered in the Common Manager Component, which could allow threat actors to get admin access without interaction in the victim.
Patches released
At the time of the press, the error has not yet been awarded a cve, but it received a 9.4/10 (critical) severity.
It affects versions 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14) and was addressed in versions 7.8 (MXO-15711_78SP0) and 7.8 SP1 (MXO-15711_78SP1).
“Do not expose the MX-One services directly to the public internet. Make sure the MX-One system is implemented within a trusted network. The risk can be reduced by limiting access to the Delivery Manager service,” Mitel said in the counseling.
The other error it fixed is a SQL injection vulnerability with high difficulty injection found in Micollab, the company’s collaboration platform. It is tracked as CVE-2025-52914 and allows threat actors to perform arbitrary SQL database commands.
The good news is that there is still no evidence that these two deficiencies have been abused in nature, so it is safe to assume that there are no threat players found it yet.
However, many cyber criminals are simply waiting for the news of a vulnerability to break, and bet that many organizations are not able to patch their systems on time.
While this is somewhat reducing the number of potential victims, it compromises the remaining much easier, and this number is often still high enough to give the threat actors incentive.
Via Bleeping computer
