The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities affect Mitel MiCollab and Oracle WebLogic Server and have been identified as actively exploited. The listed vulnerabilities include CVE-2024-41713 (CVSS score: 9.1), which allows attackers to gain unauthorized access, CVE-2024-55550 (CVSS score: 4.4), which allows an authenticated attacker to read local files within the system, and CVE-2020-2883 (CVSS score: 9.8), which can be exploited remotely in Oracle WebLogic Server. CISA’s inclusion of these flaws comes with a clear warning to government agencies to apply necessary security patches.
CVE-2024-41713 and CVE-2024-55550 are path traversal vulnerabilities found in Mitel MiCollab, which could be exploited to gain unauthorized access or read files within the system. An attacker could chain these flaws together to achieve remote, unauthenticated access to arbitrary files on the server, significantly compromising the security of affected systems. The flaws were discovered during research by WatchTowr Labs, which had initially investigated other vulnerabilities, including CVE-2024-35286, which was patched in May 2024. These findings highlight the severity of the issues and the ongoing risks to users of Mitel MiCollab.
CVE-2020-2883 is a security flaw in Oracle WebLogic Server that allows unauthenticated attackers with network access via IIOP or T3 to exploit the vulnerability. Despite being reported as far back as April 2020, Oracle received warnings of attempted exploits, indicating that the flaw continues to be a target for malicious actors. However, there are no detailed reports yet on how these vulnerabilities are being exploited in real-world scenarios, who is behind the attacks, or what specific systems have been targeted. CISA’s warning serves as a proactive measure to ensure agencies are aware of these risks and take appropriate action.
As part of the ongoing efforts to protect federal networks, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies apply patches to mitigate the identified vulnerabilities by January 28, 2025. This deadline is part of Binding Operational Directive (BOD) 22-01, which aims to strengthen the cybersecurity posture of U.S. government networks. The inclusion of these vulnerabilities in CISA’s KEV catalog underscores the critical need for timely updates to prevent potential exploitation by threat actors.
