Mitel, a leading provider of business communications solutions, has issued a warning about critical security gaps in its MiVoice Connect and Connect Mobility Router products. The vulnerabilities could allow attackers from the local network to execute arbitrary code.
According to a security advisory from Mitel, the MiVoice Connect’s server components, including Headquarters, Windows DVS, and Linux DVS, have inadequate access control. This means that unauthenticated attackers from the local network can run arbitrary scripts. The vulnerabilities are rated as “critical.”
In the MiVoice Connect edge gateway, attackers can use default passwords to gain administrator rights. This vulnerability is rated as “high” and could give malicious actors control of the system.
There are also cross-site scripting vulnerabilities in the index.php and test_presenter.php pages of the MiVoice Connect conference component, which could allow attackers to execute arbitrary script code. This vulnerability is rated as “medium.”
Mitel has released software updates that fix the security gaps. The affected products include MiVoice Connect versions up to and including 19.3 SP2 (22.24.1500.0), Connect Mobility Router version 9.6.2208.101, and earlier. It’s important for IT managers to download and install the available software updates as soon as possible to ensure the continued security of their systems.
In addition to the software updates, Mitel recommends that customers ensure that complex passwords are assigned to all accounts on the Edge Gateway and Connect Mobility Router. Mitel has used standard passwords in the Connect Mobility Router, which could allow attackers access with administrator rights.
Mitel’s MiVoice products have been targeted by attackers in the past, so it’s crucial for IT managers to take these vulnerabilities seriously and take action to protect their systems. Mitel has demonstrated a commitment to addressing security issues promptly, so IT managers can be confident that their systems are secure when they use Mitel products.