EUVD-2025-19009

| CVE-2025-27827 HIGH
2025-06-24 [email protected]
Information Disclosure Authentication Bypass
7.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-19009
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
CVE Published
Jun 24, 2025 - 14:15 nvd
HIGH 7.1

DescriptionNVD

A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.2.0.3 could allow an unauthenticated attacker to conduct an information disclosure attack due to improper handling of session data. A successful exploit requires user interaction and could allow an attacker to access sensitive information, leading to unauthorized access to active chat rooms, reading chat data, and sending messages during an active chat session.

AnalysisAI

CVE-2025-27827 is an information disclosure vulnerability in Mitel MiContact Center Business legacy chat component (versions through 10.2.0.3) that allows unauthenticated attackers to access sensitive chat data and session information through improper session handling. An attacker can exploit this to read active chat messages, join chat rooms without authorization, and send messages as legitimate users, requiring only user interaction to succeed. The CVSS 7.1 score reflects high confidentiality impact with limited integrity risk, though real-world exploitability depends on whether this is actively exploited (KEV status unknown from provided data) and patch availability from Mitel.

Technical ContextAI

The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), specifically rooted in improper handling of session data within the legacy chat component of Mitel MiContact Center Business. The chat system likely fails to properly validate, encrypt, or isolate session tokens/identifiers, allowing attackers to intercept, forge, or reuse session identifiers to access chat rooms and message content without proper authentication. The 'legacy' designation suggests this is older code that may predate modern session management standards. The network-accessible nature (AV:N) indicates the chat component is exposed over HTTP/HTTPS protocols without sufficient authentication gating. The requirement for user interaction (UI:R) suggests attackers need to trick users or leverage browser-based attacks (e.g., CSRF, session fixation) to trigger the vulnerability, rather than simple direct exploitation.

RemediationAI

Specific remediation steps: (1) Immediate patch: Upgrade Mitel MiContact Center Business to version 10.2.0.4 or later (if available) or the latest patched version recommended by Mitel; (2) Workarounds (if patching delayed): Disable or restrict access to the legacy chat component at the network level (firewall rules, reverse proxy authentication layer); isolate the chat service to authorized networks only; enforce strict session timeout policies (60-minute maximum); implement additional authentication (IP whitelisting, VPN requirement) for chat access; (3) Monitoring: Enable audit logging for all chat session creation and message access events; monitor for suspicious session activity (multiple simultaneous sessions, sessions from unusual IPs); (4) Validation: Test patched versions in staging environment before production deployment to ensure functionality. Mitel advisories/patches should be obtained directly from Mitel's security portal or vendor website (www.mitel.com/security or equivalent) to verify patch version numbers and compatibility.

Share

EUVD-2025-19009 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy