- An error in MIVOICE MX-CE ACCESS OF ADMINISTRATOR GRANTED
- A vulnerability in Micollab allows the execution of arbitrary commands
- The patches were launched for both, so users should now update
Mitel Networks has poured two important vulnerabilities in its products that could be abused to obtain administrator access and implement the malicious code at committed final points.
In a security notice, Mitel said he discovered a failure of authentication derivation of critical severity in MIVOICE MX-ONE, its unified communications and collaboration platform (UCC) of business degree. MX-one is designed to climb from hundreds to more than 100,000 users in a single system based on distributed or centralized SIP, and admits implementations of public and private clouds both in the main and in the main ones.
Inadequate weakness of access control was discovered in the component of the supply manager, which could allow threat actors to obtain administrative access without the victim’s interaction.
Patches released
At the time of publication, a CVE has not yet been assigned, but it was given a gravity score of 9.4/10 (criticism).
It affects versions 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14), and was addressed in versions 7.8 (MXO-15711_78SP0) and 7.8 SP1 (MXO-15711_78SP1).
“Do not expose MX-one services directly to the public Internet. Make sure the MX-one system is implemented within a reliable network. The risk can be mitigated restricting access to the service of the provisioning manager,” Mitel said in the notice.
The second defect he set is a high severity SQL injection vulnerability that is located in Micollab, the company’s collaboration platform. It is traced as CVE-2025-52914, and allows threat actors to execute arbitrary commands of the SQL database.
The good news is that there is still no evidence that these two failures have been abused in nature, so it is sure to assume that there are no threat actors that still found them.
However, many cybercounts simply expect the news of a rupture vulnerability, betting that many organizations cannot patch their systems in time.
While this reduces the number of potential victims a bit, it makes the remaining commitment much easier, and that number often remains high enough to give to the actors of threat incentives.
Through Bleepingcomputer
