Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CISA Warns of Mitel MiCollab Vulnerabilities Exploited in Attacks

CISA says two recently disclosed path traversal vulnerabilities in the Mitel MiCollab collaboration platform have been exploited in attacks.

CISA

The US cybersecurity agency CISA on Tuesday warned that two recently disclosed vulnerabilities affecting the Mitel MiCollab enterprise collaboration platform have been exploited in attacks.

The two security defects, tracked as CVE-2024-41713 and CVE-2024-55550, are described as path traversal issues that impact versions 9.8 SP1 FP2 (9.8.1.201) and earlier of Mitel MiCollab.

CVE-2024-41713 (CVSS score of 9.8) is a critical bug that could allow unauthenticated attackers to gain access to provisioning information and to perform unauthorized administrative actions on the server.

CVE-2024-55550 (CVSS score of 2.7) is a low-severity flaw that could be exploited to access resources typically constrained to the admin access level, but does not allow file modification or privilege escalation. Authentication as an administrator is required for successful exploitation of this defect.

Mitel released patches for the critical vulnerability in October 2024, but made no mention of the low-severity one, which was disclosed in early December without a CVE identifier, when attack surface management firm WatchTowr warned that it had remained unpatched.

MiCollab version 9.8 SP2 (9.8.2.12), Mitel says in its advisory, addresses the critical-severity bug, mitigates the low-severity one, and addresses other critical- and high-severity security defects.

In December, WatchTowr published technical information on both vulnerabilities and proof-of-concept (PoC) exploit code that combines them for data exfiltration, but made no mention of any of them being exploited in the wild.

On Tuesday, however, CISA added both flaws to its Known Exploited Vulnerabilities (KEV) catalog, warning that they have been exploited and urging federal agencies to apply the available patches and mitigations by January 28, as mandated by Binding Operational Directive (BOD) 22-01.

Advertisement. Scroll to continue reading.

There does not appear to be any public information on the attacks involving exploitation of CVE-2024-41713 and CVE-2024-55550.

While BOD 22-01 only applies to federal agencies, all organizations are advised to identify vulnerable Mitel MiCollab instances within their environments and to update or remove them as soon as possible, to mitigate the risk of compromise.

Related: IBM Patches RCE Vulnerabilities in Data Virtualization Manager, Security SOAR

Related: VMware Patches High-Severity Vulnerabilities in Aria Operations

Related: White House Addresses BGP Vulnerabilities in New Internet Routing Security Roadmap

Related: Philippine Military Ordered to Stop Using Artificial Intelligence Apps Due to Security Risks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.