CISA Adds IBM and Mitel Vulnerabilities To Known Exploited Vulnerabilities Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added IBM and Mitel vulnerabilities to its Known Exploited Vulnerabilities Catalog.

CISA warned “these types of vulnerabilities are a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.”

As a result, these vulnerabilities have been added to the Catalog based on evidence of active exploitation.

IBM CVE-2022-47986

On February 21, 2023, CISA added an IBM Aspera Faspex Code Execution Vulnerability (CVE-2022-47986) to its Known Exploited Vulnerabilities Catalog.

IBM’s Aspera Faspex is a file-exchange application built on IBM Aspera High-Speed Transfer Server as a centralized transfer solution.

According to an IBM advisory published on February 17, “IBM Aspera Faspex 4.4.1 could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system.

The Critical vulnerability also has a CVSS score of 9.8.

IBM confirmed IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier versions are affected. The obsolete API call was removed in Faspex 4.4.2 PL2.

Mitel CVEs

In addition, CISA also added two Mitel vulnerabilities to the Exploited Vulnerabilities Catalog also on February 21:

  • CVE-2022-41223: Mitel MiVoice Connect Code Injection Vulnerability (CVSS 6.8)
  • CVE-2022-40765: Mitel MiVoice Connect Command Injection Vulnerability (CVSS 6.8).

Each of these issues affect the Director component of Mitel MiVoice Connect versions 19.3 (22.22.6100.0) and earlier. As a result, the flaws could allow an authenticated attacker, with internal network access, to execute arbitrary code within the context of the application.

The Mitel MiVoice Connect server/client solution helps customers manage their business communications using a desk phone, computer, or mobile device.

Readers can check out the most recent CISA advisory and Known Exploited Vulnerabilities Catalog for more details on these vulnerabilities.

Related Articles