U.S. CISA adds SolarWinds Web Help Desk, Sangoma FreePBX, and GitLab flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SolarWinds Web Help Desk, Sangoma FreePBX, and GitLab flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SolarWinds Web Help Desk, Sangoma FreePBX, and GitLab flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

• CVE-2019-19006 Sangoma FreePBX Improper Authentication Vulnerability
• CVE-2021-39935 GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
• CVE-2025-40551 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
• CVE-2025-64328 Sangoma FreePBX OS Command Injection Vulnerability 

The first vulnerability added to the catalog, tracked as CVE-2025-40551 (CVSS score of 9.8), is a deserialization of untrusted data that affects SolarWinds Web Help Desk. This vulnerability allows an unauthenticated attacker to achieve remote code execution, enabling the execution of arbitrary commands on the underlying host system and potentially leading to a complete compromise of the affected server. The researcher Jimi Sebree of Horizon3.ai discovered the vulnerability.

The second vulnerability added to the KeV catalog is a Server-Side Request Forgery (SSRF) issue, tracked as CVE-2021-39935 (CVSS score of 7.5). In March 2025, GreyNoise observed a significant rise in SSRF exploitation, with around 400 unique IPs actively targeting 10 SSRF vulnerabilities, including CVE-2021-39935. Many of these IPs were attempting to exploit multiple vulnerabilities simultaneously rather than targeting a single flaw. This pattern suggests an automation or pre-compromise reconnaissance, rather than typical botnet activity.

The third issue added to the catalog is CVE‑2019‑19006 (CVSS score of 9.8). The flaw is an improper authentication issue in Sangoma FreePBX that allows a remote attacker to bypass the login mechanism and gain full administrative access without valid credentials. This means an unauthenticated user can effectively take control of the PBX web interface, change configurations, access call logs, and manage users, all without needing to know any password.

The last issue added to the catalog, tracked as CVE‑2025‑64328 (CVSS score of 8.6), is an authenticated OS command injection vulnerability in the FreePBX Endpoint Manager. Once logged in, an attacker can inject arbitrary operating‑system commands through the testconnection function, which are then executed with the privileges of the asterisk user. This can lead to full server takeover, data theft, or use of the system as a pivot into the wider network.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA has ordered federal agencies to remediate all listed vulnerabilities, except the SolarWinds flaw, by February 24, 2026. The SolarWinds vulnerability must be addressed by the end of this week, February 6.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon