Mitel Issues Critical Security Patch for MiVoice MX-ONE Amid Vulnerability Concerns

Mitel Networks has announced significant security updates aimed at addressing a critical authentication bypass vulnerability within its MiVoice MX-ONE enterprise communications platform. This flaw, identified in the Provisioning Manager component, allows unauthenticated attackers to gain unauthorized access to administrative accounts on unpatched systems without requiring user interaction.

The vulnerability affects versions 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14) of MiVoice MX-ONE. Mitel has advised users to upgrade to patched versions 7.8 (MXO-15711_78SP0) or 7.8 SP1 (MXO-15711_78SP1) to mitigate these risks. The company emphasized the importance of not exposing MX-ONE services directly to the public internet and ensuring the system is deployed within a trusted network.

Additionally, Mitel disclosed a high-severity SQL injection vulnerability affecting its MiCollab collaboration software, which could lead to arbitrary SQL database command execution on unpatched devices. Although these vulnerabilities have not been observed in active exploits, the Cybersecurity and Infrastructure Security Agency (CISA) previously issued warnings regarding similar vulnerabilities in January.

Mitel products are utilized by over 60,000 customers, including sectors such as education, healthcare, financial services, manufacturing, and government. Customers running affected versions of MiVoice MX-ONE have been urged to submit a patch request through their authorized service partner, reinforcing the urgency of addressing this critical vulnerability.