ACCORDING to Security Affairs, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four flaws to its Known Exploited Vulnerabilities catalog, including SolarWinds Web Help Desk, Sangoma FreePBX, and GitLab entries.
The vulnerabilities listed are CVE-2019-19006 (Sangoma FreePBX Improper Authentication Vulnerability), CVE-2021-39935 (GitLab Community and Enterprise Editions Server-Side Request Forgery), CVE-2025-40551 (SolarWinds Web Help Desk Deserialization of Untrusted Data), and CVE-2025-64328 (Sangoma FreePBX OS Command Injection).
The first bug allows an unauthenticated attacker to achieve remote code execution on SolarWinds Web Help Desk, while the second is a Server-Side Request Forgery issue observed with rising exploitation in March 2025, and the third is a high-severity deserialization flaw enabling arbitrary commands. The fourth entry concerns an authenticated OS command injection in the FreePBX Endpoint Manager, which could lead to a full server takeover.
CISA has ordered federal agencies to remediate all listed vulnerabilities by 24 February 2026, with the SolarWinds flaw required to be addressed by 6 February 2026.