Mitel Product Security Advisory MISA-2025-0009
MX-ONE Authentication Bypass Vulnerability
Advisory ID: MISA-2025-0009
First Issue Date: 2025-07-23
Last Updated: 2025-07-23
Revision: 1.0
Summary
An authentication bypass vulnerability has been identified in the Provisioning Manager component of Mitel MiVoice MX-ONE, which if successfully exploited could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper access control.
A successful exploit of this vulnerability could allow an attacker to gain unauthorized access to user or admin accounts in the system.
The vulnerability severity is rated as critical.
Mitel is recommending customers with affected product versions apply the fixes in the highlighted solution. For customers that are unable to update in a timely manner, Mitel recommends reviewing available workarounds.
Affected Products and Solutions
This security advisory provides information on the following products:
| PRODUCT NAME | VERSION(S) AFFECTED | SOLUTION(S) AVAILABLE |
| MiVoice MX-ONE | 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14) | Mitel provided patches, MXO-15711_78SP0 and MXO-15711_78SP1, that are available for releases MX-ONE versions 7.8 & 7.8 SP1 respectively.
For MiVoice MX-ONE version 7.3 and above, please submit a patch request to your authorized service partner. Patches are made available at Mitel's discretion. |
Product statements are related only to supported product versions. Products which have reached End of Support status are not considered.
Vulnerability Severity
The following products have been identified as affected:
| PRODUCT NAME | CVE ID | SEVERITY | CVSS 3.1 BASE SCORE |
| MiVoice MX-ONE | Critical / 9.4 | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H |
The vulnerability severity is rated as critical.
Mitigations / Workarounds
Customers with affected product versions should apply the fixes in the highlighted solution.
Do not expose the MX-ONE services directly to the public internet. Ensure that the MX-ONE system is deployed within a trusted network.
The risk may be mitigated by restricting access to the Provisioning Manager service. For instructions on how to disable the Provisioning Manager service, please follow the instructions found in the KMS article.
Solution/ Recommended Action
Mitel provided patches MXO-15711_78SP0 and MXO-15711_78SP1 that address this vulnerability for MiVoice MX-ONE releases 7.8 & 7.8 SP1 respectively.
For MiVoice MX-ONE version 7.3 and above, please submit a patch request to your authorized service partner. Patches are made available at Mitel's discretion.
Please see Mitel Knowledge Base article SO8566, “MiVoice MX-ONE Security Update” https://mitel.custhelp.com/app/answers/answer_view/a_id/1021860 .
If you do not have access to this link, please contact your Mitel Authorized Partner for support.
For further information, please contact Mitel Product Support.
Revision History
Version | Date | Description |
1.0 | 2025-07-23 | Initial version |
Publisher and Legal Disclaimer
Publisher: Mitel PSIRT / [email protected]
The information provided in this advisory is provided "as is" without warranty of any kind. The information is subject to change without notice. Mitel and its affiliates do not guarantee and accept no legal liability whatsoever arising from or connected to the accuracy, reliability, currency or completeness of the information provided. No part of this document can be reproduced or transmitted in any form or by any means - electronic or mechanical - for any purpose without written permission from Mitel Networks Corporation.