CISA Flags Critical Flaws in Mitel and Oracle Systems Amid Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three flaws impacting Mitel MiCollab and Oracle WebLogic Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The list of vulnerabilities is as follows -

• CVE-2024-41713 (CVSS score: 9.1) - A path traversal vulnerability in Mitel MiCollab that could allow an attacker to gain unauthorized and unauthenticated access
• CVE-2024-55550 (CVSS score: 4.4) - A path traversal vulnerability in Mitel MiCollab that could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input sanitization
• CVE-2020-2883 (CVSS score: 9.8) - A security vulnerability in Oracle WebLogic Server that could be exploited by an unauthenticated attacker with network access via IIOP or T3

It's worth noting that CVE-2024-41713 could be chained with CVE-2024-55550 to permit an unauthenticated, remote attacker to read arbitrary files on the server.

Details about the twin flaws emerged last month following a report from WatchTowr Labs, which discovered the issues as part of its efforts to replicate another critical bug in Mitel MiCollab (CVE-2024-35286, CVSS score: 9.8) that was patched in May 2024.

As for CVE-2020-2883, Oracle warned in late April 2020 that it had received "reports of attempts to maliciously exploit a number of recently-patched vulnerabilities, including vulnerability CVE-2020-2883."

There are currently no details available on how the aforementioned flaws are exploited in real-world attacks, who may be exploiting them, or the targets of these activities.

Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary updates by January 28, 2025, to secure their networks.