Better late than never: Five long years after a critical Oracle WebLogic server bug was first reported exploited in the wild, CISA has added CVE-2020-2883 to its known exploited vulnerabilities (KEV) catalogue.
CISA itself highlighted exploitation in 2020 and its addition to KEV in 2025 is likely to be some “dang-we-forgot-to-add-this-one” housekeeping, rather than indication of particularly renewed exploitation. (If you didn’t patch your servers for 60 months, welcome to a world of hurt anyhow.)
CVE-2020-2883 was reported by Bui Duong of Viettel Cyber Security via the ZDI. The underlying bug is in Oracle’s “Coherence” library and any application with the Coherence library in its code path where there is a path to deserialization is also vulnerable, researchers warned at the time.
Top exploited vulnerabilities revealed as CISA warns of growing enterprise zero day threat
Also new to KEV this week are CVE-2024-41713 (a Mitel MiCollab path traversal bug) and CVE-2024-55550 (ditto). Both have been known to be exploited in the wild for at least a month, so those (hopefully a limited number of people) relying on CVEs being added to KEV to enforce patching, are firmly shutting the stable door after the horse has not only bolted but been found with a broken leg and turned into dogfood.
With regard to the Mitel vulnerabilities, as attack surface specialist WatchTowr noted in December: “VoIP platforms, which handle telephone calls for an organization, are a really juicy target for an APT. Imagine being able to listen in on the phone calls of your target, as they're happening - or even to interfere with them and block them at will! It's a very powerful thing to be able to do, and a godsend for an outcome-motivated attacker.
A tear-down of the Mitel platform revealed some dubious product development decisions in the underlying code and what looks like a juicy attack surface, so… stay up to speed with ongoing patching and advisories from your VoIP providers, even if KEV is late to the party. ...
