CISA Finds Serious Problems In Oracle & Mitel Systems

Uploaded on 2025-01-11 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned federal agencies about three flaws allowing hackers to use Mitel MiCollab and Oracle WebLogic Server on its Known Exploited Vulnerabilities catalogThis security defect allows attackers to perform unauthorised administrative actions and access user and network information.

Right now, there is no information on how these flaws are exploited in real-world attacks, who may be exploiting them, or the targets of these activities.

The list of problems include:  

  •  CVE-2024-41713 - A path traversal vulnerability in Mitel MiCollab that could allow an attacker to gain unauthorised and unauthenticated access.
  •  CVE-2024-55550 - A path traversal vulnerability in Mitel MiCollab that could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input sanitisation 
  •  CVE-2024-2883 - A security vulnerability in Oracle WebLogic Server that could be exploited by an unauthenticated attacker with network access via IIOP or T3 
  • CVE-2024-41713 may be linked  with CVE-2024-55550 in a way that permits a remote attacker access  to read files on the server. 

WatchTowr Labs, first discovered these issues as part of its efforts to replicate another critical bug in Mitel MiCollab, CVE-2024-35286, that was patched in May 2024. Concerning CVE-2020-2883, Oracle announced  as long ago as 2020 that it had received "reports of attempts to maliciously exploit a number of recently-patched vulnerabilities, including vulnerability CVE-2022-2883.”

According to information from Censys, there are more than 5,600 internet-exposed Mitel MiCollab in question, with nearly 3,000 of them located in the U.S., followed by Canada, the U.K., Australia, and the Netherlands.

CISA's Binding Operational Directive (BOD) 22-01, requires US federal agencies to apply the necessary updates by January 28, 2025, to secure their networks.

CISA   |   Oracle   |   Oracle   |    Watchtowr   |    CVE   |   CVE   |   CVE  |   Bleeping Computer   |   

HackerNews   |    Censys   

Image: 

You Might Also Read: 

Hackers Stealing Data Using Cisco Smart Install:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 




 

« How To Streamline Compliance With NIS2 & DORA 
AI-Enhanced Attacks Are A Rising Threat »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Imperva

Imperva

Imperva is a leading provider of data and application security solutions including DDoS protection, Web application security, Data security and Cloud security.

UCD Centre for Cybersecurity and Cybercrime Investigation

UCD Centre for Cybersecurity and Cybercrime Investigation

UCD Centre for Cybersecurity and Cybercrime Investigation is Europe's leading centre for research & education in cybersecurity, cybercrime and digital forensics.

Tanium

Tanium

Tanium is an endpoint security and systems management company.

Momentum

Momentum

The Cyber Security team at Momentum offers a professional and specialist recruitment service across Cyber & IT Security.

Netsparker

Netsparker

Netsparker provide a web application security scanner to automatically find security flaws in your websites, web applications and web services.

Reposify

Reposify

Reposify’s cybersecurity solution identifies, manages and defends companies’ global digital footprints.

ThreadStone Cyber Security

ThreadStone Cyber Security

ThreadStone Cyber Security offer reliable, practical and affordable cyber security solutions for both large and smaller organizations that we develop and deliver ourselves from Europe.

Flipside

Flipside

Information Security training provider specialized in personalized training and security awareness campaigns.

DigiByte (DGB)

DigiByte (DGB)

DigiByte (DGB) is a rapidly growing global blockchain with a focus on cybersecurity for digital payments & decentralized applications.

Nameshield Group

Nameshield Group

Nameshield is one of most experienced domain name registrars, trademark protection specialists and managers of online reputational risk in the world today.

Kinetic Investments

Kinetic Investments

Kinetic Investments is a venture capital firm dedicated to early-stage companies that are transforming the digital landscape.

Start Left® Security

Start Left® Security

Great security culture doesn't just happen; you ENGINEER it.

Perygee

Perygee

Perygee is a fully integrated platform for operational security. Companies depend on Perygee to identify and streamline the most important security practices for their operations.

Exalens

Exalens

With deep roots in AI-driven cyber-physical security research and intrusion detection, at Exalens, we are enhancing operational resilience for cyber-physical systems at the OT edge.

Redpoint Cybersecurity

Redpoint Cybersecurity

Redpoint Cybersecurity is a human-led, technology-enabled managed cybersecurity provider specializing in Digital Forensics, Incident Response and proactive cyberattack prevention.

Effectiv

Effectiv

Effectiv is a real-time fraud & risk management platform for Financial Institutions and Fintechs.