The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added three flaws impacting Mitel MiCollab and Oracle WebLogic Server to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
The record of vulnerabilities is as follows –
- CVE-2024-41713 (CVSS rating: 9.1) – A path traversal vulnerability in Mitel MiCollab that might enable an attacker to achieve unauthorized and unauthenticated entry
- CVE-2024-55550 (CVSS rating: 4.4) – A path traversal vulnerability in Mitel MiCollab that might enable an authenticated attacker with administrative privileges to learn native recordsdata throughout the system attributable to inadequate enter sanitization
- CVE-2020-2883 (CVSS rating: 9.8) – A security vulnerability in Oracle WebLogic Server that may very well be exploited by an unauthenticated attacker with community entry through IIOP or T3
It is price noting that CVE-2024-41713 may very well be chained with CVE-2024-55550 to allow an unauthenticated, distant attacker to learn arbitrary recordsdata on the server.
Particulars concerning the twin flaws emerged final month following a report from WatchTowr Labs, which found the problems as a part of its efforts to copy one other crucial bug in Mitel MiCollab (CVE-2024-35286, CVSS rating: 9.8) that was patched in Might 2024.
As for CVE-2020-2883, Oracle warned in late April 2020 that it had obtained “stories of makes an attempt to maliciously exploit various recently-patched vulnerabilities, together with vulnerability CVE-2020-2883.”
There are at present no particulars out there on how the aforementioned flaws are exploited in real-world assaults, who could also be exploiting them, or the targets of those actions.
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Govt Department (FCEB) businesses are required to use the required updates by January 28, 2025, to safe their networks.
