Fuze, a maker of popular enterprise-grade voice-over-IP handsets, earlier this year patched three vulnerabilities that exposed user account information and enabled unauthorized authentication.
The issues were made public today by researchers at Rapid7 who privately disclosed the flaws on April 12. Fuze turned around fixes for each of the vulnerabilities by May 6, but public disclosure was delayed until today.
The flaws were found in Fuze’s TPN Handset Portal; the Massachusetts company was formerly known as ThinkingPhones but changed its name in 2016. Fuze’s handsets and portals support voice, messaging and collaboration services, and are widely deployed in businesses, including Rapid7.