CISA Adds SolarWinds, Sangoma, GitLab Flaws to KEV

CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on February 3, confirming active exploitation in the wild. The additions include a critical SolarWinds Web Help Desk flaw, two Sangoma FreePBX vulnerabilities, and an older GitLab SSRF bug that attackers have apparently rediscovered.

Federal agencies face an aggressive deadline: SolarWinds Web Help Desk (CVE-2025-40551) must be patched by February 6—just three days from the announcement. The remaining vulnerabilities have a February 24 remediation deadline under Binding Operational Directive 22-01.

SolarWinds Web Help Desk Under Attack

The SolarWinds vulnerability (CVE-2025-40551, CVSS 9.8) stems from insecure deserialization. Attackers can send malicious serialized objects to the application, achieving remote code execution without authentication. CISA's description is blunt: the flaw "could lead to remote code execution, which would allow an attacker to run commands on the host machine."

This marks another chapter in SolarWinds' security struggles. The company patched CVE-2025-40551 alongside four additional critical flaws (CVE-2025-40536, CVE-2025-40537, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554), suggesting a broader audit uncovered systemic issues. We covered the initial patch release last week—the KEV addition confirms attackers moved fast.

Versions of SolarWinds Web Help Desk prior to 2026.1 are vulnerable. Organizations still running older versions should assume they've been targeted, given the three-day federal deadline implies significant threat activity.

Sangoma FreePBX: Authentication Bypass and Command Injection

Two Sangoma FreePBX vulnerabilities made the KEV list:

CVE-2019-19006 is an improper authentication vulnerability. Despite its 2019 disclosure date, attackers continue exploiting it against organizations that never patched—a common pattern where legacy vulnerabilities outlive their initial publicity cycle.

CVE-2025-64328 is an OS command injection flaw that could enable remote access to FreePBX systems. VoIP infrastructure often sits on network segments with access to sensitive communications, making these systems attractive targets for espionage operations.

FreePBX powers thousands of business phone systems worldwide. The combination of an authentication bypass and command injection provides a complete attack chain: bypass login, inject commands, own the system.

GitLab SSRF Returns

CVE-2021-39935 affects both GitLab Community and Enterprise editions. The server-side request forgery (SSRF) vulnerability allows authenticated attackers to make the GitLab server initiate requests to internal systems—potentially accessing cloud metadata services, internal APIs, or other resources not intended for external access.

The 2021 date suggests organizations either never patched or subsequently deployed vulnerable versions. GitLab instances accessible from the internet are particularly at risk, as attackers routinely scan for exposed developer tools. This mirrors ongoing exposure issues affecting Git hosting platforms.

The KEV Pattern

Adding vulnerabilities to the KEV catalog means CISA has confirmed exploitation in real attacks, not just theoretical proof-of-concept code. The varied ages of these CVEs—2019, 2021, and 2025—illustrate how attackers mix old and new vulnerabilities based on target environments. Ransomware operators increasingly leverage KEV-listed flaws as part of their initial access playbooks.

For private sector organizations, the BOD 22-01 deadlines don't technically apply, but CISA explicitly recommends treating KEV additions as priority patches. The logic is simple: if federal systems are being attacked, commercial systems are too.

Security teams should check whether these products exist in their environment, regardless of whether formal asset inventories list them. SolarWinds Web Help Desk and Sangoma FreePBX often appear as shadow IT installations or legacy systems that predate current security programs.

Recommended Actions

1. SolarWinds Web Help Desk: Update to version 2026.1 immediately. Conduct forensic review if running vulnerable versions.
2. Sangoma FreePBX: Apply latest patches. Audit network access—VoIP systems shouldn't be internet-accessible.
3. GitLab: Verify installed versions across all instances, including developer sandboxes and CI/CD infrastructure.
4. General: Subscribe to CISA KEV alerts for ongoing awareness of actively exploited vulnerabilities.