Do Son 
TL;DR
Mitel disclosed 12 security flaws in MiCollab and the MiVoice Business Solution Virtual Instance (MiVB SVI). Eleven of them earn a Critical rating, and six reach the maximum CVSS 3.1 score of 10.0. An unauthenticated attacker can run arbitrary commands on affected systems. Mitel has released fixed versions and urges customers to update without delay.
Why These MiCollab Vulnerabilities Matter
MiCollab handles voice, video, chat, and web conferencing for many enterprises. Therefore, a single breach can expose sensitive internal communications. The new MiCollab vulnerabilities also share one dangerous trait. None of them require authentication. As a result, an attacker who reaches the server can strike without any credentials.
Exposure makes the threat worse. Researchers previously found more than 20,000 internet-facing MiCollab instances on Shodan, according to SecurityWeek. Attackers have a history with the platform too. CISA added two earlier MiCollab flaws to its Known Exploited Vulnerabilities catalog during 2025. That track record raises the stakes for this batch.
How the Attacks Work
The advisory describes several distinct weaknesses. Most involve command injection in the MiCollab Client Service and NuPoint Unified Messaging (NPM) components. According to Mitel, a successful exploit could let an attacker “execute arbitrary commands within the context of the system.”
The root causes vary. Mitel points to improper certificate validation, insufficient parameter sanitization, and missing authentication mechanisms. Other bugs widen the attack surface further. These include SQL injection, server-side request forgery (SSRF), and an XML external entity (XXE) flaw. Two file-handling bugs round out the list: an arbitrary file upload and an unauthorized file write that enables code execution.
Chaining Raises the Stakes
Mitel warns that these issues grow more dangerous in combination. The advisory states plainly that “exploiting these vulnerabilities together can significantly amplify their impact.” For example, an attacker could pair a file upload with command execution to seize full control of a server.
Exploitation Status
Mitel has not reported active exploitation of these specific flaws. Moreover, no public proof-of-concept exploit exists yet. Still, the unauthenticated design makes prompt patching the safe choice. Credit for most findings goes to Mustafa Can Ipekci of Synack Red Team. Researchers Phuoc Pham and Dung Pham reported one additional flaw.
Affected Versions
The flaws touch a wide range of releases. MiCollab builds from 10.0 (10.0.0.26) through 10.2 SP1 FP1 (10.2.1.102) are vulnerable. The same goes for 9.8 SP3 FP1 (9.8.3.103) and earlier. For MiVB SVI, versions 2.1.0.9-2 and earlier are affected. Notably, MiVB SVI is impacted only by the MiCollab Client Service flaws.
Patch and Mitigation Steps
Mitel urges customers to update as soon as feasible. The fixes ship in MiCollab 10.2 SP1 FP2 (10.2.1.205) and 9.8 SP3 FP2 (9.8.3.203). For MiVB SVI 2.x, administrators should move to 2.1.0.9-4. MiVB SVI 1.0 users should upgrade the MiCollab Client Service blade to 9.8.3.203 from the SVI Server Manager.
Some teams cannot patch right away. For them, Mitel points to mitigation steps in Knowledge Base article KB000127975. You can review the full technical detail in the official Mitel security advisory MISA-2026-0005.
CVE identifiers remain pending for now. Mitel notes the IDs “have been requested but are not yet assigned.” Administrators should not wait for those numbers before fixing these MiCollab vulnerabilities.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
