The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added three flaws impacting Mitel MiCollab and Oracle WebLogic Server to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
The record of vulnerabilities is as follows –
- CVE-2024-41713 (CVSS rating: 9.1) – A path traversal vulnerability in Mitel MiCollab that would permit an attacker to achieve unauthorized and unauthenticated entry
- CVE-2024-55550 (CVSS rating: 4.4) – A path traversal vulnerability in Mitel MiCollab that would permit an authenticated attacker with administrative privileges to learn native recordsdata inside the system on account of inadequate enter sanitization
- CVE-2020-2883 (CVSS rating: 9.8) – A safety vulnerability in Oracle WebLogic Server that may very well be exploited by an unauthenticated attacker with community entry through IIOP or T3
It is price noting that CVE-2024-41713 may very well be chained with CVE-2024-55550 to allow an unauthenticated, distant attacker to learn arbitrary recordsdata on the server.
Particulars in regards to the twin flaws emerged final month following a report from WatchTowr Labs, which found the problems as a part of its efforts to copy one other vital bug in Mitel MiCollab (CVE-2024-35286, CVSS rating: 9.8) that was patched in Might 2024.
As for CVE-2020-2883, Oracle warned in late April 2020 that it had acquired “experiences of makes an attempt to maliciously exploit various recently-patched vulnerabilities, together with vulnerability CVE-2020-2883.”
There are at present no particulars obtainable on how the aforementioned flaws are exploited in real-world assaults, who could also be exploiting them, or the targets of those actions.
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Government Department (FCEB) businesses are required to use the mandatory updates by January 28, 2025, to safe their networks.