CISA adds critical Mitel and Oracle vulnerabilities to exploited list
Exploitation could allow attackers to gain unauthorised access to an organisation's entire unified communications infrastructure
The US Cybersecurity and Infrastructure Security Agency (CISA) has added three high-risk vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue, mandating that federal agencies patch their systems by 28th January 2025.
These include two vulnerabilities in Mitel's MiCollab platform and a previously identified Oracle WebLogic Server bug that dates back to 2020.
The more severe of the two Mitel bugs, CVE-2024-41713, received a critical CVSS score of 9.1. This path traversal vulnerability, which exists in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab, does not require authentication, making it particularly dangerous.
Exploitation could allow attackers to gain unauthorised access to an organisation's entire unified communications infrastructure.
The second vulnerability, CVE-2024-55550, is less critical with a CVSS score of 2.7 but still poses a significant risk. This path traversal vulnerability is caused by insufficient input sanitisation.
Exploitation requires administrative privileges and permits authenticated attackers to access constrained resources at the admin access level.
While this vulnerability does not enable privilege escalation or file modification, it could still expose non-sensitive system information, making it a potential tool for attackers when combined with other vulnerabilities, such as CVE-2024-41713.
Mitel MiCollab is a widely used platform enabling instant messaging, voice, desktop video and web collaboration.
While the exact nature of the ongoing exploitation remains undisclosed, security researchers have observed concerning activity.
WatchTowr Labs, which initially discovered the Mitel MiCollab vulnerabilities, noted that CVE-2024-41713 and CVE-2024-55550 could be chained together to significantly increase the potential impact of an attack.
The two vulnerabilities affect Mitel MiCollab versions 9.8 SP1 FP2 (9.8.1.201) and earlier. Mitel has addressed these vulnerabilities in MiCollab version 9.8 SP2 (9.8.2.12) and later.
Oracle WebLogic Server bug resurfaces
CISA is also warning about CVE-2020-2883, a vulnerability in Oracle's WebLogic Server that was patched in April 2020. The flaw enables unauthenticated attackers with network access to take full control of affected servers.
Exploited through the Internet Inter-Orb Protocol (IIOP) or T3 protocols, this bug remains an attractive target for cybercriminals, seeking organisations that have not applied the patch.
In 2020, Oracle said it had "received reports of attempts to maliciously exploit a number of recently-patched vulnerabilities, including vulnerability CVE-2020-2883, which affects multiple versions of Oracle WebLogic Server."
"Oracle strongly recommends that customers apply the April 2020 Critical Patch Update," the company stated.
The inclusion of these three vulnerabilities in the KEV catalogue reflects the urgent need for organisations to prioritise updates and adopt robust cybersecurity measures. The addition of the four-year-old Oracle WebServer vulnerabilility in particular, shows that many oganisations are lax when it comes to patching critical applications.
CISA strongly urges all organisations, not just federal agencies, to immediately apply the necessary security updates and patches provided by Mitel and Oracle.
The agency recommends following vendor guidance, enhancing network segmentation, and monitoring for suspicious activity that could indicate exploitation attempts.