Critical Vulnerability in Mitel MiVoice MX-ONE Allows Unauthorized Access

Mitel has recently addressed a critical security vulnerability in its MiVoice MX-ONE communication platform. This flaw, found in the Provisioning Manager component, could enable unauthenticated attackers to bypass authentication mechanisms and gain unauthorized access to user and administrative accounts. The vulnerability arises from improper access control within the system. If exploited, it could compromise the confidentiality, integrity, and availability of the affected systems. The issue affects MiVoice MX-ONE versions from 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14) and has been assigned a CVSS score of 9.4 out of 10, indicating its severity. Mitel has released patches MXO-15711_78SP0 and MXO-15711_78SP1 for versions 7.8 and 7.8 SP1, respectively. Users of versions 7.3 and above are advised to contact their authorized service partners to obtain the necessary patches. As interim measures, Mitel recommends limiting the exposure of MX-ONE services to the public internet and ensuring they operate within trusted networks. In addition to this, Mitel has also addressed a high-severity SQL injection vulnerability (CVE-2025-52914) in its MiCollab product. This flaw could allow authenticated attackers to execute arbitrary SQL commands, potentially affecting system confidentiality, integrity, and availability. The vulnerability impacts MiCollab versions 10.0 (10.0.0.26) to 10.0 SP1 FP1 (10.0.1.101) and 9.8 SP3 (9.8.3.1) and earlier. It has been resolved in versions 10.1 (10.1.0.10), 9.8 SP3 FP1 (9.8.3.103), and later. Given the history of active exploitation of vulnerabilities in Mitel devices, users are strongly encouraged to apply these updates promptly to mitigate potential security risks.