Mitel patches critical MiVoice MX-ONE Auth bypass flaw

Mitel addressed a critical MiVoice MX-ONE flaw that could allow an unauthenticated attacker to conduct an authentication bypass attack.

A critical authentication bypass flaw (CVSS score of 9.4) in Mitel MiVoice MX-ONE allows attackers to exploit weak access controls and gain unauthorized access to user or admin accounts.

“An authentication bypass vulnerability has been identified in the Provisioning Manager component of Mitel MiVoice MX-ONE, which if successfully exploited could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper access control.” reads the advisory published by the vendor. “A successful exploit of this vulnerability could allow an attacker to gain unauthorized access to user or admin accounts in the system.”

The flaw impacts MiVoice MX-ONE from 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14).

The company addressed the issue in MXO-15711_78SP0 and MXO-15711_78SP1, that are available for releases MX-ONE versions 7.8 & 7.8 SP1 respectively.

The vendor recommends keeping MX-ONE off the public internet and running it in a trusted network. The company also suggests limiting access or disabling the Provisioning Manager service per KMS guidance.

Mitel also a SQL injection vulnerability, tracked as CVE-2025-52914 (CVSS score: 8.8), in MiCollab.

“An SQL vulnerability has been identified in the Suite Applications Services component of Mitel MiCollab, which if successfully exploited could allow an authenticated attacker to conduct an SQL Injection attack due to insufficient validation of user input.” reads the advisory. “A successful exploit could allow an attacker to access user provisioning information and execute arbitrary SQL database commands with potential impacts on the confidentiality, integrity, and availability of the system.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MiVoice MX-ONE)