The US cybersecurity agency CISA on Tuesday warned that two recently disclosed vulnerabilities affecting the Mitel MiCollab enterprise collaboration platform have been exploited in attacks.
The two security defects, tracked as CVE-2024-41713 and CVE-2024-55550, are described as path traversal issues that impact versions 9.8 SP1 FP2 (9.8.1.201) and earlier of Mitel MiCollab.
CVE-2024-41713 (CVSS score of 9.8) is a critical bug that could allow unauthenticated attackers to gain access to provisioning information and to perform unauthorized administrative actions on the server.
CVE-2024-55550 (CVSS score of 2.7) is a low-severity flaw that could be exploited to access resources typically constrained to the admin access level, but does not allow file modification or privilege escalation. Authentication as an administrator is required for successful exploitation of this defect.
Mitel released patches for the critical vulnerability in October 2024, but made no mention of the low-severity one, which was disclosed in early December without a CVE identifier, when attack surface management firm WatchTowr warned that it had remained unpatched.
MiCollab version 9.8 SP2 (9.8.2.12), Mitel says in its advisory, addresses the critical-severity bug, mitigates the low-severity one, and addresses other critical- and high-severity security defects.
In December, WatchTowr published technical information on both vulnerabilities and proof-of-concept (PoC) exploit code that combines them for data exfiltration, but made no mention of any of them being exploited in the wild.
On Tuesday, however, CISA added both flaws to its Known Exploited Vulnerabilities (KEV) catalog, warning that they have been exploited and urging federal agencies to apply the available patches and mitigations by January 28, as mandated by Binding Operational Directive (BOD) 22-01.
Advertisement. Scroll to continue reading.
There does not appear to be any public information on the attacks involving exploitation of CVE-2024-41713 and CVE-2024-55550.
While BOD 22-01 only applies to federal agencies, all organizations are advised to identify vulnerable Mitel MiCollab instances within their environments and to update or remove them as soon as possible, to mitigate the risk of compromise.
Related: IBM Patches RCE Vulnerabilities in Data Virtualization Manager, Security SOAR
Related: VMware Patches High-Severity Vulnerabilities in Aria Operations
Related: White House Addresses BGP Vulnerabilities in New Internet Routing Security Roadmap
Related: Philippine Military Ordered to Stop Using Artificial Intelligence Apps Due to Security Risks