IBM, Mitel Software Exploits Join CISA Vulnerability Catalog

The Cybersecurity and Infrastructure Security Agency has identified three vulnerabilities in IBM and Mitel software products that have been utilized by hackers. It has added the exploits to the Known Exploited Vulnerabilities Catalog, a list of common vulnerabilities and exposures that pose a danger to federal government systems.

Version 4.4.2 Patch Level 1 of IBM Aspera Faspex, a file exchange system meant to work similarly to email, was found to contain a loophole enabling attackers to run arbitrary code. The exploit was addressed in a subsequent fix.

Two vulnerabilities were discovered in Mitel’s MiVoice Connect, a business communications solution that is intended to provide users with a single interface for audio and video calls, instant messaging and screen sharing. The program’s Director database and Edge Gateway components were found to contain “insufficient restrictions” that enable malicious actors to inject code or commands.

Federal civilian executive branch agencies are required to remediate the exploits by March 14, CISA said.

Another recent addition to the Known Exploited Vulnerabilities Catalog is a command-injection attack vector found in the Cacti platform, an open-source operational management and fault management server application. The bug allowed unauthenticated users to collect clients’ internet protocol addresses.

Earlier in February, CISA flagged four vulnerabilities found in Apple and Microsoft software.