CISA Finds Serious Problems In Oracle & Mitel Systems

Uploaded on 2025-01-11 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned federal agencies about three flaws allowing hackers to use Mitel MiCollab and Oracle WebLogic Server on its Known Exploited Vulnerabilities catalogThis security defect allows attackers to perform unauthorised administrative actions and access user and network information.

Right now, there is no information on how these flaws are exploited in real-world attacks, who may be exploiting them, or the targets of these activities.

The list of problems include:  

  •  CVE-2024-41713 - A path traversal vulnerability in Mitel MiCollab that could allow an attacker to gain unauthorised and unauthenticated access.
  •  CVE-2024-55550 - A path traversal vulnerability in Mitel MiCollab that could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input sanitisation 
  •  CVE-2024-2883 - A security vulnerability in Oracle WebLogic Server that could be exploited by an unauthenticated attacker with network access via IIOP or T3 
  • CVE-2024-41713 may be linked  with CVE-2024-55550 in a way that permits a remote attacker access  to read files on the server. 

WatchTowr Labs, first discovered these issues as part of its efforts to replicate another critical bug in Mitel MiCollab, CVE-2024-35286, that was patched in May 2024. Concerning CVE-2020-2883, Oracle announced  as long ago as 2020 that it had received "reports of attempts to maliciously exploit a number of recently-patched vulnerabilities, including vulnerability CVE-2022-2883.”

According to information from Censys, there are more than 5,600 internet-exposed Mitel MiCollab in question, with nearly 3,000 of them located in the U.S., followed by Canada, the U.K., Australia, and the Netherlands.

CISA's Binding Operational Directive (BOD) 22-01, requires US federal agencies to apply the necessary updates by January 28, 2025, to secure their networks.

CISA   |   Oracle   |   Oracle   |    Watchtowr   |    CVE   |   CVE   |   CVE  |   Bleeping Computer   |   

HackerNews   |    Censys   

Image: 

You Might Also Read: 

Hackers Stealing Data Using Cisco Smart Install:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 




 

« How To Streamline Compliance With NIS2 & DORA 
AI-Enhanced Attacks Are A Rising Threat »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

TestFort

TestFort

TestFort QA Lab is a specialized software testing company offering independent quality assurance and software testing services.

Exprivia

Exprivia

Exprivia is active in the design, development and integration of IT systems including cyber security.

Dionach

Dionach

Dionach are a certified information security specialists who provide Penetration Testing, IT Security Auditing and Information Security Consultancy.

Silicon:SAFE

Silicon:SAFE

Silicon:SAFE develops impenetrable hardware solutions that prevent bulk data theft during a cyber-attack.

Jumio

Jumio

Jumio’s end-to-end identity verification and authentication solutions fight fraud, maintain compliance and onboard good customers faster.

Leadcomm

Leadcomm

Leadcomm is a Brazilian company focused on the distribution and integration of IT systems and security solutions for large companies.

Cryptyk

Cryptyk

CRYPTYK CLOUD is the first complete enterprise-class cloud security solution that includes cloud storage and broad protection against all external and internal threats.

Componolit

Componolit

Componolit GmbH is a highly specialized company with a strong emphasis on trustworthy software, component-based systems and formal verification.

BaaSid

BaaSid

BaaSid is next generation security technology for data security & security authentication based on De-centralized & Blockchain.

Retruster

Retruster

Protect your users against phishing emails, ransomware & fraud with the most advanced, user-friendly, non-intrusive solution available.

CySecK

CySecK

CySecK is a Centre of Excellence in Cybersecurity formed in 2017 by the Government of Karnataka, as part of the Technology Innovation Strategy.

CCX Technologies

CCX Technologies

CCX Technologies design and develop a wide range of cybersecurity and testing solutions for the aviation, and military and government markets.

Anonos

Anonos

Anonos is a global software company that provides the only technology capable of protecting data in use with 100% accuracy, even in untrusted environments.

Circle Security

Circle Security

Circle’s breakthrough security API unifies solutions for identity and data security into one architecture and empowers organizations to secure their identity, data and privacy in their applications.

Cambridge International Systems

Cambridge International Systems

For more than 25 years, Cambridge has been fighting bad actors in both the cyber and physical worlds.

Disecto Technologies

Disecto Technologies

At Disecto, we provide SaaS based Data Discovery, Classification and a remediation solution for data privacy compliance.