CISA adds Mitel and Oracle bugs to exploited vulnerabilities list

The Cybersecurity and Infrastructure Security Agency (CISA) on Jan. 7 added three bugs to its Known Exploited Vulnerabilities (KEV) catalog, two that affected the Mitel MiCollab communications and collaboration platform, and an Oracle WebLogic Server bug from 2020.

Of the two Mitel MiCollab bugs, the most serious of the two — CVE-2024-41713 — was assigned a critical CVSS score of 9.1, while the less critical one — CVE-2024-55550 — had a 4.4 CVSS and was added because it could result in further system compromise when combined with other vulnerabilities.  

Sarah Jones, cyber threat intelligence research analyst at Critical Start, said CVE-2024-41713, the critical path traversal Mitel MiCollab bug, was particularly dangerous because it requires no authentication, potentially letting attackers gain unauthorized access to the entire unified communications infrastructure.

“This could lead to system compromise, data exfiltration, and potential lateral movement within networks,” said Jones.

Jones added that while less severe, CVE-2024-55550 still poses a notable risk. Although it requires administrative privileges, this second path traversal vulnerability in MiCollab could let attackers read sensitive local files because of insufficient input sanitization.

In terms of CVE-2020-2883 in Oracle WebLogic Server, Jones said despite being patched in April 2020, the bug remains a serious threat because it lets unauthenticated attackers with network access potentially take complete control of affected servers via the Internet Inter-Orb Protocol or T3 protocols.

“The age of this vulnerability is especially concerning, as attack methods are well-documented and easily accessible to threat actors,” said Jones.

To protect against these vulnerabilities, Jones said security teams should implement a multi-layered defense strategy. Immediate actions should include the following: emergency patching of all affected Mitel MiCollab systems, deploying Web Application Firewall rules to filter path traversal attempts, and verifying that all Oracle WebLogic Server installations are patched against CVE-2020-2883.