Mitel Product Security Advisory MISA-2025-0002

MiContact Center Business Information Disclosure Vulnerability

Advisory ID: MISA-2025-0002

Publish Date: 2025-01-22

Last Updated: 2025-03-11

Revision: 3.0

Summary

An information disclosure vulnerability has been identified in the Legacy Chat component of MiContact Center Business, which if successfully exploited, could allow an unauthenticated attacker to conduct an information disclosure attack due to improper handling of session data.

A successful exploit of this vulnerability requires user interaction and could allow an attacker to access sensitive information, leading to unauthorized access to active chat rooms, reading chat data, and sending messages during an active chat session.

The vulnerability severity is rated as high.

Mitel is recommending customers with affected product versions apply the fixes in the highlighted solution.

Affected Products

This security advisory provides information on the following products:

Product Name

Version(s) Affected

Solution(s) Available

MiContact Center Business

10.2.0.0 through 10.2.0.3
10.1.0.0 through 10.1.0.5
10.0.0.0 through 10.0.0.4
9.5.0.3 and earlier

Mitel has provided hotfixes KB20256817, KB570775, KB569707, and KB571025 that are available for releases 10.2.0.3, 10.1.0.5, 10.0.0.4, and 9.5.0.3, respectively.
Upgrade to one of these releases and apply the provided hotfix, or upgrade to a later release.

Product statements are related only to supported product versions. Products which have reached End of Support status are not considered.

Vulnerability Severity

The following products have been identified as affected:

Product Name

CVE ID

Severity

CVSS 3.1 Base Score

MiContact Center Business

CVE-2025-27827

High / 7.1

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

The vulnerability severity is rated as high.

Mitigations / Workarounds

Customers with affected product versions should apply the fixes in the highlighted solution.
The risk may be mitigated by following the instructions found in the KMS article.
The risk may also be mitigated by turning off the Legacy Chat or converting to the CloudLink Contact Center Messenger Chat.

Solution/ Recommended Action

Mitel has provided hotfixes KB20256817, KB570775, KB569707, and KB571025 that are available for releases 10.2.0.3, 10.1.0.5, 10.0.0.4, and 9.5.0.3, respectively

Upgrade to these releases and apply the provided fix or upgrade to a later release.

Please see Mitel Knowledge Base article SO8353 "MiContact Center Business, Security Update - CVE-2025-27827" https://mitel.custhelp.com/app/answers/answer_view/a_id/1021320

If you do not have access to this link, please contact your Mitel Authorized Partner for support.

For further information, please contact Mitel Product Support.

Related CVEs / CWEs / Advisories

CVE-2025-27827

Revision History

Version	Date	Description
1.0	2025-01-22	Initial release
2.0	2025-02-04	Updated affected products and solution information
3.0	2025-03-11	Updated the CVE Number

Publisher and Legal Disclaimer

Publisher: Mitel PSIRT / [email protected]

The information provided in this advisory is provided "as is" without warranty of any kind. The information is subject to change without notice. Mitel and its affiliates do not guarantee and accept no legal liability whatsoever arising from or connected to the accuracy, reliability, currency or completeness of the information provided. No part of this document can be reproduced or transmitted in any form or by any means - electronic or mechanical - for any purpose without written permission from Mitel Networks Corporation.

First Name

Last Name

Email Address

Relationship to Mitel

By providing the above information, you agree that we may process your personal data in accordance with our Privacy Policy.

Do you agree to the terms and conditions of using our services?