CVE-2025-67823
Published: 15 January 2026
Summary
CVE-2025-67823 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Mitel Cx. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-67823 is a Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting the Multimedia Email component in Mitel MiContact Center Business through version 10.2.0.10 and Mitel CX through version 1.1.0.1. The issue arises from insufficient input validation, which could enable script injection. Published on 2026-01-15, it has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, changed scope, high confidentiality impact, low integrity impact, and no availability impact.
An unauthenticated attacker can exploit this vulnerability by crafting and sending a malicious email, provided the email channel is enabled in the affected systems. Exploitation requires victim user interaction, such as viewing the email in a browser or desktop client application, after which the attacker could execute arbitrary scripts in the victim's context. This may lead to theft of sensitive data like session cookies or credentials, though integrity and availability impacts are limited.
Mitel has issued security advisories addressing this vulnerability, available at https://www.mitel.com/support/security-advisories and specifically https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0010. Security practitioners should review these advisories for detailed mitigation guidance, including any available patches or workarounds.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206292
Vulnerability details
A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. A successful exploit requires…
more
user interaction where the email channel is enabled. This could allow an attacker to execute arbitrary scripts in the victim's browser or desktop client application.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in email rendering directly enables browser session hijacking via script execution to steal cookies/credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly addresses the root cause of insufficient input validation in the Multimedia Email component, preventing script injection via malicious emails.
SI-15 enforces output filtering to sanitize email content before rendering in browsers or clients, blocking XSS payload execution.
SI-2 ensures timely flaw remediation by applying Mitel patches, eliminating the XSS vulnerability in affected versions.