CISA Adds Oracle WebLogic Server and Mitel MiCollab Vulnerabilities to the KEV Catalog

12/68 Thursday, January 9, 2025

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added vulnerabilities in Oracle WebLogic Server and Mitel MiCollab to its Known Exploited Vulnerabilities (KEV) catalog after these vulnerabilities were found to be actively exploited in real-world attacks.

The Oracle WebLogic Server vulnerability, identified as CVE-2020-2883, has a CVSS score of 9.8 and affects versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0. This vulnerability allows attackers to execute code without authentication through the IIOP and T3 protocols.

Meanwhile, CVE-2024-41713 and CVE-2024-55550 are path traversal vulnerabilities in Mitel MiCollab, both carrying a CVSS score of 9.8. The CVE-2024-41713 vulnerability enables unauthenticated attackers to access system files and perform unauthorized actions, potentially compromising data security and system operations. On the other hand, CVE-2024-55550 requires administrator-level privileges but still poses a significant risk, as it could allow attackers to access sensitive internal files, potentially leading to further exploitation.

To mitigate these risks, federal agencies under the Federal Civilian Executive Branch (FCEB) are mandated to address these vulnerabilities within the specified timeline. CISA has set a remediation deadline of January 28, 2025, to prevent further exploitation and ensure that the vulnerabilities are resolved promptly.

Source https://securityaffairs.com/172783/security/u-s-cisa-adds-oracle-weblogic-server-mitel-micollab-flaws-known-exploited-vulnerabilities-catalog.html