The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three flaws affecting Mitel MiCollab and Oracle WebLogic Server for its known vulnerabilities (KEV) catalog with reference to evidence of active operation.
The list of vulnerabilities is as follows –
- CVE-2024-41713 (CVSS Score: 9.1) – Path traversal vulnerability in Mitel MiCollab that could allow an attacker to gain unauthorized and unauthenticated access
- CVE-2024-55550 (CVSS Score: 4.4) – Path traversal vulnerability in Mitel MiCollab that could allow an authenticated attacker with administrative privileges to read local files on the system due to insufficient input sanitization
- CVE-2020-2883 (CVSS Score: 9.8) – A security vulnerability in Oracle WebLogic Server that could be exploited by an unauthenticated attacker with network access via IIOP or T3
It should be noted that CVE-2024-41713 could be linked to CVE-2024-55550 to allow an unauthenticated remote attacker to read arbitrary files on the server.
Details of the dual flaws emerged last month after the report from WatchTowr Labs, which discovered the issues as part of its efforts to replicate another critical bug in Mitel MiCollab (CVE-2024-35286, CVSS Score: 9.8), which was fixed in May 2024.
Regarding CVE-2020-2883, Oracle warned in late April 2020, it received “reports of attempts to exploit a number of recently patched vulnerabilities, including CVE-2020-2883.”
Currently, there are no details on how the aforementioned flaws are used in actual attacks, who might use them, or the targets of these actions.
Under Mandatory Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to apply required updates by January 28, 2025 to secure their networks.
