What security vulnerabilities has Mitel Networks reported?

Mitel Networks has reported two critical security vulnerabilities: MISA-2025-0009 with CVSS score 9.4, an authentication bypass vulnerability in MiVoice MX-ONE caused by improper access control mechanisms that fail to adequately validate user permissions, allowing unauthenticated attackers to gain unauthorized access to administrative accounts. The second is a SQL injection vulnerability in MiCollab with CVSS score 8.8 that allows authenticated attackers to execute arbitrary SQL database commands.

Which Mitel products are affected by these vulnerabilities?

The authentication bypass vulnerability affects MiVoice MX-ONE enterprise communications platform, while the SQL injection vulnerability affects MiCollab. Both are critical enterprise communication systems used by organizations worldwide.

What patches are available for MiVoice MX-ONE?

For MiVoice MX-ONE version 7.8, apply patch MXO-15711_78SP0. For MiVoice MX-ONE version 7.8 SP1, apply patch MXO-15711_78SP1. For customers operating older versions from 7.3 and above, Mitel requires submitting a patch request through authorized service partners, with patches made available at the company's discretion.

How has Mitel resolved the MiCollab SQL injection issue?

Mitel has resolved the SQL injection issue in MiCollab versions 10.1 (10.1.0.10), 9.8 SP3 FP1 (9.8.3.103), and later releases. Organizations should upgrade to these versions to address the vulnerability.

What temporary mitigations can organizations implement if unable to patch immediately?

For organizations unable to immediately apply patches, Mitel recommends isolating the platform from the public internet and making it accessible only within trusted network environments. Organizations can also reduce risk by restricting access to the Provisioning Manager service entirely, with specific instructions available in Mitel's knowledge management system.

How severe are these vulnerabilities?

Both vulnerabilities are considered critical. The authentication bypass vulnerability in MiVoice MX-ONE has a CVSS score of 9.4, making it extremely severe as it allows unauthenticated attackers to bypass authentication protections. The SQL injection vulnerability in MiCollab has a CVSS score of 8.8, also representing a high-severity risk that requires immediate attention.

How can organizations get patches for older MiVoice MX-ONE versions?

For customers operating older MiVoice MX-ONE versions from 7.3 and above, Mitel requires submitting a patch request through authorized service partners. Patches are made available at the company's discretion, so organizations should contact their Mitel service partners immediately to request the necessary patches.

What should organizations prioritize when addressing these vulnerabilities?

Organizations should prioritize patching the authentication bypass vulnerability in MiVoice MX-ONE due to its critical CVSS score of 9.4 and the fact that it affects unauthenticated access. Both vulnerabilities require immediate attention, but the authentication bypass poses the more severe risk as it allows unauthorized access to administrative accounts without any authentication requirements.

Advisory

Mitel networks reports critical authentication bypass flaw in MiVoice MX-ONE

Q: What versions of MiCollab are affected by the SQL injection vulnerability?

The SQL injection vulnerability affects MiCollab versions 10.0 (10.0.0.26) through 10.0 SP1 FP1 (10.0.1.101) and version 9.8 SP3 (9.8.3.1) and earlier.

published: July 24, 2025

Take action: If you have Mitel MiVoice MX-ONE or MiCollab systems, make sure they are isolated from the internet since attackers can bypass authentication and gain admin access without any credentials. Apply the available patches away - for MX-ONE versions 7.8/7.8 SP1 use patches MXO-15711_78SP0/MXO-15711_78SP1, and upgrade MiCollab to version 10.1 or 9.8 SP3 FP1 or later.

Learn More

Mitel Networks is reporting a critical security vulnerability affecting its MiVoice MX-ONE enterprise communications platform that could allow unauthenticated attackers to bypass authentication protections and gain unauthorized access to administrative accounts.

The primary vulnerability

Vulnerabilities summary:

MISA-2025-0009, no CVE code (CVSS score 9.4) - Authentication Bypass in MiVoice MX-ONE caused by from improper access control mechanisms that fail to adequately validate user permissions
MISA-2025-0009 (CVSS score 8.8) - SQL Injection in MiCollab. It allows authenticated attackers to execute arbitrary SQL database command

Affected Versions:

The authentication bypass vulnerability affects MiVoice MX-ONE versions ranging from 7.3 (7.3.0.0.50) through 7.8 SP1 (7.8.1.0.14).

The SQL injection flaw affects MiCollab versions 10.0 (10.0.0.26) through 10.0 SP1 FP1 (10.0.1.101) and version 9.8 SP3 (9.8.3.1) and earlier.

Available Patches:

MiVoice MX-ONE version 7.8 apply patch MXO-15711_78SP0,
MiVoice MX-ONE version 7.87.8 SP1 apply patch MXO-15711_78SP1.
For customers operating older versions from 7.3 and above, Mitel requires submitting a patch request through authorized service partners, with patches made available at the company's discretion.

Mitel has resolved the SQL Injection issue in versions 10.1 (10.1.0.10), 9.8 SP3 FP1 (9.8.3.103), and later releases.

For organizations unable to immediately apply patches, Mitel recommends isolating the platform from the public internet and accessible only within trusted network environments. Organizations can reduce risk by restricting access to the Provisioning Manager service entirely, via specific instructions available in Mitel's knowledge management system.

Mitel networks reports critical authentication bypass flaw in MiVoice MX-ONE

Read More
Fortinet issues private notifications to FortiManager customers to …
Critical LangChain serialization flaw enables secret extraction and …
CISA warns that AMI MegaRAC Vulnerability that enables …
Fortra FileCatalyst Workflow vulnerable to critical SQL Injection
Multiple Dell Storage Manager vulnerabilities patched, at least …