The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added three flaws impacting Mitel MiCollab and Oracle WebLogic Server to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
The checklist of vulnerabilities is as follows –
- CVE-2024-41713 (CVSS rating: 9.1) – A path traversal vulnerability in Mitel MiCollab that would permit an attacker to realize unauthorized and unauthenticated entry
- CVE-2024-55550 (CVSS rating: 4.4) – A path traversal vulnerability in Mitel MiCollab that would permit an authenticated attacker with administrative privileges to learn native recordsdata inside the system attributable to inadequate enter sanitization
- CVE-2020-2883 (CVSS rating: 9.8) – A safety vulnerability in Oracle WebLogic Server that could possibly be exploited by an unauthenticated attacker with community entry through IIOP or T3
It is value noting that CVE-2024-41713 could possibly be chained with CVE-2024-55550 to allow an unauthenticated, distant attacker to learn arbitrary recordsdata on the server.
Particulars in regards to the twin flaws emerged final month following a report from WatchTowr Labs, which found the problems as a part of its efforts to duplicate one other important bug in Mitel MiCollab (CVE-2024-35286, CVSS rating: 9.8) that was patched in Might 2024.
As for CVE-2020-2883, Oracle warned in late April 2020 that it had acquired “reviews of makes an attempt to maliciously exploit numerous recently-patched vulnerabilities, together with vulnerability CVE-2020-2883.”
There are presently no particulars obtainable on how the aforementioned flaws are exploited in real-world assaults, who could also be exploiting them, or the targets of those actions.
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Government Department (FCEB) companies are required to use the mandatory updates by January 28, 2025, to safe their networks.
