CVE-2025-67822: Critical Authentication Bypass in Mitel MX-ONE Enables Unauthorized Administrative Control

Aegiron 9 mins0

Executive Summary

CVE ID: CVE-2025-67822
Product: MiVoice MX-ONE (Provisioning Manager component)
Vendor: Mitel
Severity: Critical
CVSS v3.1 Score: 9.4
Attack Vector: Network
Authentication Required: None
User Interaction: None
Impact: Unauthorized administrative access, configuration manipulation, service disruption

This vulnerability allows a remote attacker to bypass authentication controls in the MX-ONE Provisioning Manager web interface. If the management interface is reachable, an attacker can perform privileged actions without valid credentials. Because Provisioning Manager controls user accounts and system configuration, exploitation can lead to full administrative control of the telephony platform.

What Exactly Is Vulnerable

The issue exists in the Provisioning Manager component of MiVoice MX-ONE, which is the web-based management service used to:

  • Create and manage users and administrators
  • Assign roles and privileges
  • Provision phones and endpoints
  • Push configuration changes
  • Manage routing and telephony parameters

Certain HTTP endpoints in this component do not consistently enforce authentication checks. As a result, requests that should only be processed after successful login may be accepted even when no valid session exists.

Affected Versions

MX-ONE versions in the 7.3 to 7.8 SP1 range are affected.

Any deployment running one of these versions should be considered vulnerable until patched, regardless of whether exploitation has been observed.

Why This Vulnerability Is Dangerous

This is not a cosmetic or information-only issue. The Provisioning Manager is a control plane service. Bypassing authentication here allows an attacker to:

  • Create new administrator accounts
  • Modify existing user roles
  • Change telephony configurations
  • Push malicious or disruptive settings to endpoints
  • Permanently lock out legitimate administrators
  • Cause call routing failures or service outages

Even though the confidentiality impact is rated lower, integrity and availability impacts are high, which is especially serious in enterprise voice environments.

High-Level Exploitation Flow (Educational)

No exploit payloads or actionable attack steps are provided below.

From a defensive standpoint, exploitation would generally follow this pattern:

  1. Service discovery
    The attacker identifies an MX-ONE system and determines that the Provisioning Manager web interface is reachable (commonly over HTTPS).
  2. Unauthenticated request submission
    Crafted HTTP requests are sent directly to management endpoints that should require authentication.
  3. Authentication bypass
    Due to improper validation, the application processes the request as if it were authenticated.
  4. Privilege abuse
    The attacker performs administrative actions such as account creation or configuration changes.

Because no credentials are required and no user interaction is involved, this vulnerability is attractive to attackers once discovered.

Exploit / PoC Availability

  • There is no publicly shared, reliable exploit code.
  • The vulnerability is straightforward to weaponize in principle, which means once attackers understand the flaw, custom tooling is feasible.

How to Detect Exploitation or PoC Attempts

Required Log Sources

To detect abuse of this vulnerability, you must collect and retain:

  1. Provisioning Manager web access logs
    • HTTP method
    • URL path
    • Response code
    • Source IP
    • Session cookies or auth tokens
  2. MX-ONE audit / provisioning logs
    • User creation events
    • Role or privilege changes
    • Configuration push actions
  3. Firewall or network logs
    • Connections to management interfaces
    • Source networks and geolocation
  4. SIEM correlation
    • Ability to link web access with admin actions

Key Indicators of Compromise

Look for the following patterns:

  • Successful POST / PUT / DELETE requests to provisioning endpoints without a valid session
  • HTTP 200 or 201 responses from management URLs when no login event occurred
  • Administrator accounts created with:
    • Unknown creator
    • Empty or “system” actor fields
    • Source IPs outside approved admin networks
  • Multiple management actions in a short time window from the same source IP
  • Configuration pushes immediately following suspicious account creation

Splunk Detection Rules

1. Unauthenticated Write Requests to Provisioning Manager

index=web_logs
(method=POST OR method=PUT OR method=DELETE)
(url="/provisioning*" OR url="/manager*" OR url="/pm*")
http_status IN (200,201,204)
| eval has_session=if(isnotnull(cookie) OR isnotnull(auth_token), "yes", "no")
| where has_session="no"
| stats count by src_ip, url, method, http_status, _time

Why this matters:
Write operations should never succeed without authentication.

2. Suspicious Admin Account Creation

index=mxone_audit
(action="createUser" OR action="addUser")
| where role="admin"
| where actor="UNKNOWN" OR actor="system" OR isnull(actor)
| table _time, src_ip, actor, target_user, role

3. Account Creation Followed by Config Push (High Risk)

index=mxone_audit
(action="createUser" OR action="pushConfig" OR action="updateConfig")
| transaction src_ip maxspan=5m
| search eventcount>=2

4. External Access to Management Interface

index=firewall
dest_port=443
dest_host="mxone-provisioning"
| where NOT cidrmatch("10.0.0.0/8", src_ip)
| stats count by src_ip, dest_host

How to Safely Validate Your Detection

If you need to confirm that alerts are working:

  • Generate synthetic log events that mimic suspicious behavior
  • Perform tests in a patched vs unpatched lab environment you own
  • Validate that unauthenticated requests are rejected after patching
  • Use red-team or penetration-testing services with written authorization

Never test against production without approval.

Incident Response Guidance

If you suspect exploitation:

  1. Preserve logs immediately
  2. Identify and disable suspicious admin accounts
  3. Block access to the Provisioning Manager from non-admin networks
  4. Rotate credentials for all privileged users
  5. Review configuration changes for unauthorized modifications
  6. Apply vendor patch before restoring normal access

Mitigation & Hardening

  • Apply Mitel’s official update immediately
  • Never expose MX-ONE management interfaces to the public internet
  • Restrict access to admin networks or VPN only
  • Enable detailed auditing for all provisioning actions
  • Alert on privilege escalation and configuration changes
  • Regularly review admin account lists

Official Vendor Patch

Mitel Product Security Advisory – MISA-2025-0009
Includes patches and upgrade guidance for CVE-2025-67822:

🔗 https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0009

Final Takeaway

This vulnerability is dangerous because it targets trust, not just data.
If the management plane is compromised, the entire voice environment is at risk.

Patching is mandatory.
Detection is essential.
Exposure must be eliminated.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.