The U.S. Cybersecurity and Infrastructure Security Agency has identified three actively exploited vulnerabilities affecting Mitel MiCollab and Oracle WebLogic Server platforms. These security flaws have been added to the Known Exploited Vulnerabilities (KEV) catalog.
Critical Vulnerabilities:
1. Mitel MiCollab (CVE-2024-41713)
– Severity: 9.1/10
– Impact: Allows unauthorized system access
– Type: Path traversal vulnerability
– No authentication required
2. Mitel MiCollab (CVE-2024-55550)
– Severity: 4.4/10
– Impact: Enables local file access
– Type: Path traversal vulnerability
– Requires administrative privileges
3. Oracle WebLogic Server (CVE-2020-2883)
– Severity: 9.8/10
– Impact: System compromise via IIOP/T3
– Type: Security vulnerability
– No authentication required
Security researchers at WatchTowr Labs discovered that CVE-2024-41713 can be combined with CVE-2024-55550, enabling unauthorized remote attackers to access server files. Oracle has reported attempted exploits of CVE-2020-2883 following its patch release in April 2020.
Federal agencies must implement security updates by January 28, 2025, as mandated by Binding Operational Directive (BOD) 22-01.