CISA has added Mitel MiCollab (CVE-2024-41713, CVE-2024-55550) and Oracle WebLogic Server (CVE-2020-2883) vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
The Mitel MiCollab vulnerabilities exploited
Mitel MiCollab is a popular enterprise collaboration suite.
CVE-2024-41713 and CVE-2024-55550 are both path traversal vulnerabilities.
The former is exploitable without authentication, and may allow an attacker to gain access “to provisioning information including non-sensitive user and network information and perform unauthorized administrative actions on the MiCollab Server.”
The latter can only be exploited by an authenticated attacker with administrative privileges, to access specific resources and non-sensitive system information. The vulnerability does not allow file modification or privilege escalation, Mitel says.
Both vulnerabilities were reported to Mitel by watchTowr researcher Sonny Macdonald. Two months after the patch for CVE-2024-41713 had been made available, he shared details about them publicly, as well as a proof-of-concept exploit chaining them together.
CVE-2024-55550 did not have a CVE number at the time and still doesn’t have a fix, but it’s “substantially mitigated” in MiCollab 9.8 SP2 (9.8.2.12) and will be addressed by Mitel in future product updates. (Patches for older MiCollab versions are also available.)
The Oracle WebLogic Server vulnerability
CVE-2020-2883 is an “easily exploitable” vulnerability that may allow an unauthenticated attacker with network access via IIOP or T3 protocols to execute code in the context of the service account and thus to compromise / take over a vulnerable Oracle WebLogic Server.
The vulnerability, which was a bypass of a patch for a previous one (CVE-2020-2555), was fixed in April 2020.
CISA’s additional advice
By adding the three flaws to its KEV catalog, the Cybersecurity and Infrastructure Security Agency effectively confirms their in-the-wild exploitation and tells US federal civilian executive branch agencies that they have three weeks to remediate them. Details about the attacks are usually not shared.
The interesting thing about this latest KEV update is that CVE-2020-2883 was flagged as exploited by CISA back in May 2020, before the KEV catalog was created. It’s unknown why the agency decided to add the flaw to it now, but it’s possible they received more recent reports of attacks in the wild.
In this latest KEV update, CISA has also urged users and administrators to review threat briefs and security bulletins related to CVE-2024-0012 and CVE-2024-9474, two vulnerabilities in Palo Alto Networks firewalls that have been exploited (as zero-days) by attackers in November 2024.