What Went Wrong in MiVoice MX‑ONE

Mitel has confirmed a “critical” hole in the Provisioning Manager of its MiVoice MX‑ONE phone system that lets anyone skip the login screen and grab full control. The weakness, tracked internally as MXO‑15711, sits in every build from version 7.3 all the way through 7.8 Service Pack 1. It scores 9.4 on the 10‑point CVSS danger scale, a clear sign that the bug can be turned into a working attack with little effort. Mitel’s advisory explains that the root cause is loose access checks inside the management interface, which means an attacker does not need a password at all. Mitel

If you run MiVoice MX‑ONE 7.8 or 7.8 SP1, the company has already posted hot‑fix builds MXO‑15711_78SP0 and MXO‑15711_78SP1. Anyone on 7.3, 7.4, 7.5, 7.6, or 7.7 must request a custom patch through an authorised service partner, because the underlying code changes can’t be dropped in as easily on those older lines. SecurityWeek

How Bad Could It Get?

Because Provisioning Manager is the brain that adds users, maps extensions, and decides who can reach the outside world, a break‑in gives crooks the same power as a top‑level admin. They could reroute calls to paid‑per‑minute numbers, record conference bridges, or wipe the entire configuration and lock staff out of the phone network during business hours. Worse, many companies expose the management port directly to the internet for remote upkeep, which means automated scan‑and‑exploit tools are already poking at these systems.

MiCollab’s SQL Injection Headache

Almost in parallel, Mitel also pushed out a fix for MiCollab, the teamwork platform that often connects to MX‑ONE. The fresh flaw, filed as CVE‑2025‑52914, scores 8.8 on the CVSS chart and lets a logged‑in user craft rogue SQL commands. With the right query an insider—or anyone who phished basic credentials—can read or tamper with the database that stores user profiles and routing rules. Versions from 10.0 (build 10.0.0.26) up to 10.0 SP1 FP1 (10.0.1.101) and from 9.8 SP3 (9.8.3.1) downward are open to attack. Safe ground begins with release 10.1 (10.1.0.10) or 9.8 SP3 FP1 (9.8.3.103).

Quick Safety Moves While You Patch

Patching is the only real cure, but Mitel gives two stop‑gap tips if a maintenance window is still days away. First, place MX‑ONE and MiCollab on an internal network segment or behind a VPN so random internet traffic can’t reach the login screen. Second, watch authentication and database logs for weird spikes, such as many failed admin logins or large, unexpected SQL queries. These signs often show up hours before a full takeover. TechRadar

A Pattern of Exploits

Mitel appliances have proved tempting in the past. Security researchers recall that earlier voice gateways were used as springboards for ransomware crews because once the phone server is owned, attackers can pivot into the wider corporate network with ease. Threat‑intel teams are already seeing automated probes for the new MX‑ONE bug just twenty‑four hours after public disclosure. The speed of that activity underlines why administrators need to move just as fast on their defense.

What Admins Should Do Today

Check your build numbers: if the system reads any flavor of 7.8, install the matching MXO‑15711 hot fix; if it shows an older branch, contact your Mitel partner for a special package. For MiCollab, jump to 10.1 or 9.8 SP3 FP1 as soon as schedules allow. Once the code is up to date, close any firewall pinholes you opened years ago for “temporary” support access, turn on multi‑factor logins for every admin, and retire stale user accounts.

Phone systems rarely sit top of the patch queue, yet they hold the keys to call records, voicemails, and sometimes even door‑entry gear. With the new flaws now public—and proof‑of‑concept attacks circulating online—every hour an unpatched box stays online is an hour crooks can walk in. Prioritise the update, lock down the interfaces, and keep a watchful eye on your logs.