CISA says Oracle and Mitel have critical security flaws being exploited

Government agency adds three new flaws to its KEV catalog

08 Jan 2025, 16:27 · TechRadar

News By Sead Fadilpašić published 8 January 2025

(Image credit: Shutterstock)

CISA addS three new bugs to KEV - two in Mitel’s MiCollab, and one in Oracle WebLogic Server
The bugs allowed crooks to read sensitive files and take over vulnerable endpoints
Federal agencies have until late January 2025 to deploy the patch

The US Cybersecurity and Infrastructure Security Agency (CISA) HAS added three new flaws to its Exploited Vulnerabilities Catalog (KEV), signalling in-the-wild abuse, and giving federal agencies a deadline to patch things up.

Two of the three flaws are found in Mitel’s MiCollab unified communications platform. One is a critical path traversal vulnerability, tracked as CVE-2024-41713.

By abusing this bug, threat actors can run admin actions and access user and network information.

A deadline to patch

"A successful exploit of this vulnerability could allow an attacker to gain unauthorized access, with potential impacts to the confidentiality, integrity, and availability of the system. This vulnerability is exploitable without authentication," MiCollab said.

"If the vulnerability is successfully exploited, an attacker could gain unauthenticated access to provisioning information including non-sensitive user and network information and perform unauthorized administrative actions on the MiCollab Server."

The second bug is tracked as CVE-2024-55550, another path traversal vulnerability granting admin privileges. The impact of this bug is limited, however, since it doesn’t allow threat actors to escalate privileges, or access files with sensitive information. Therefore, the severity of this bug was assigned to “medium” - 4.4/10.

The third bug is found in Oracle WebLogic Server, and is tracked as CVE-2020-2883. It was patched in April 2020, and grants threat actors the ability to remotely access vulnerable endpoints.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors