Americas

  • United States

Asia

Oceania

Shweta Sharma
Senior Writer

Critical Mitel, Oracle flaws find active exploitation, CISA urges patching

News
08 Jan 20253 mins
Communications SecurityVulnerabilities

CISA added the flaws to its known vulnerability catalog, recommending swift patching pursuant to Binding Operational Directive (BOD) 22-01.

Mitel Networks' MiCollab
Credit: Mitel Networks

Attackers are actively expoiting flaws in Mitel MiCollab flaws to gain unauthorized access to sensitive system files, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned.

On Tuesday the agency added two path traversal vulnerabilities in the widely used communication platform to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of exploitation.

“These type of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in an advisory that also mentioned a critical Oracle flaw, first reported in 2022, which likely now has N-day exploits.

Chained for maximum impact

One of the Mitel flaws, tracked as CVE-2024-41713, is a critical (CVSS 9.8/10) path traversal vulnerability in the NuPoint Unified Messaging component of Mitel MiCollab that could allow an unauthenticated attacker to exploit a lack of sufficient input validation to gain unauthorized access and view, corrupt or delete user data and system configurations.

The other flaw, tracked as CVE-2024-55550 and rated moderately severe (CVSS 4.4/10), is another path traversal vulnerability that could allow authenticated attackers read admin level files on local system due to insufficient input sanitization. The flaw, however, does not allow file modification or privilege escalation, Mitel had said in an October 2024 disclosure.

While technical details of the exploitation were not disclosed in the CISA update, it is important to note that these vulnerabilities could be chained together to allow remote attackers to read sensitive system files.

In October, Mitel had released patches for affected versions along with fixed versions for users to upgrade to.

Active exploitation indicates poor patching of the flaws and calls for immediate user action. CISA has recommended that Federal Civilian Executive Branch (FCEB) agencies should patch affected systems as per the BOD 22-01 directive, which requires them to patch the flaws within 15 days if they are actively exploited.

Attackers exploit critical Oracle flaw

The CISA advisory also highlighted an old Oracle vulnerability, which the company patched in October 2024 following reports of “attempts to maliciously exploit” it. 

Identified as CVE-2020-2883, the flaw affected Oracle WebLogic Server, allowing unauthenticated attackers with network access to fully take over the server. The vulnerability received a severity score of CVSS 9.8/10.

CISA said BOD 22-01 applies to the Oracle flaw, and that organizations must reduce their exposure to cyberattacks by prioritizing its remediation.

  翻译: