CISA says critical security flaws are being exploited at Oracle and Mitel
- CISA adds three new bugs to KEV: two in Mitel’s MiCollab and one in Oracle WebLogic Server
- The bugs allowed criminals to read sensitive files and take over vulnerable endpoints
- Federal agencies have until the end of January 2025 to deploy the patch
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three new flaws to its Exploited Vulnerabilities Catalog (KEV), flagging exploits in the wild and giving federal agencies a deadline to fix the cases.
Two of the three shortcomings can be found in Mitel’s MiCollab unified communications platform. One of these is a critical path traversal vulnerability, tracked as CVE-2024-41713.
Exploiting this bug allows threat actors to perform administrative actions and gain access to user and network information.
A deadline to patch
“Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access, potentially impacting system confidentiality, integrity, and availability. This vulnerability could be exploited without authentication,” MiCollab said.
“If the vulnerability is successfully exploited, an attacker could gain unauthenticated access to provisioning information, including non-sensitive user and network information, and perform unauthorized administrative actions on the MiCollab Server.”
The second bug is tracked as CVE-2024-55550, another path traversal vulnerability that grants administrative privileges. However, the impact of this bug is limited as it prevents cybercriminals from escalating their privileges or accessing files containing sensitive information. Therefore, the severity of this bug was assigned to “medium” – 4.4/10.
The third bug was found in Oracle WebLogic Server and is tracked as CVE-2020-2883. The patch was patched in April 2020 and gives threat actors the ability to remotely access vulnerable endpoints.
Now that all three vulnerabilities have been added to KEV, federal agencies have until January 28 to implement the fixes or stop using the products altogether. 8. “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
Mitel’s MiCollab is a popular unified communications platform and as such a prime target for cybercriminals. In early December this year, the company patched a three-month-old zero-day vulnerability that allowed scammers to read sensitive files.
Via BleepingComputer