~/home/news/cisa-flags-four-actively-exploited-2026-02-05
newsWednesday, February 4, 20268 min read👁 11 views

CISA Flags Four Actively-Exploited Vulnerabilities - Immediate Patch Required

CISA has added four CVEs-including a GitLab SSRF and a SolarWinds Web Help Desk flaw-to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and private enterprises must patch now to stop active exploitation.

CISAKEVVulnerability ManagementPatch

Overview/Introduction

On February 3, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) announced the addition of four actively-exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The catalog, mandated by Binding Operational Directive (BOD) 22-01, serves as a living list of CVEs that have been observed in the wild and pose a heightened risk to the federal enterprise. While BOD 22-01 applies specifically to Federal Civilian Executive Branch (FCEB) agencies, CISA’s advisory is a clear call-to-action for all organizations-governmental or private-to prioritize remediation.

The newly listed CVEs affect widely deployed products: GitLab Community and Enterprise Editions, SolarWinds Web Help Desk, and Sangoma’s FreePBX platform. Each flaw has a distinct attack vector, from server-side request forgery to deserialization of untrusted data, but all share a common denominator-active exploitation by threat actors.

Technical Details

Below is a concise technical breakdown of each CVE, the underlying vulnerability class, and the exploitation method documented by CISA.

  • CVE-2019-19006 - Sangoma FreePBX Improper Authentication
    • Vulnerability type: Improper authentication / privilege escalation.
    • Root cause: The FreePBX web interface fails to enforce authentication checks on certain internal API endpoints, allowing unauthenticated users to invoke privileged actions.
    • Exploitation: Attackers send crafted HTTP requests to the vulnerable endpoint, gaining administrative access to the telephony system.
  • CVE-2021-39935 - GitLab Community & Enterprise Editions Server-Side Request Forgery (SSRF)
    • Vulnerability type: SSRF in the CI/CD pipeline configuration parser.
    • Root cause: GitLab fails to properly sanitize URLs supplied in .gitlab-ci.yml files, allowing the CI runner to make arbitrary HTTP requests on behalf of the attacker.
    • Exploitation: Malicious actors embed a crafted URL that points to internal services (e.g., metadata endpoints, internal APIs). When the pipeline runs, the GitLab runner initiates the request, potentially exposing credentials or triggering further attacks.
  • CVE-2025-40551 - SolarWinds Web Help Desk Deserialization of Untrusted Data
    • Vulnerability type: Insecure deserialization.
    • Root cause: The Web Help Desk portal processes serialized Java objects received via HTTP POST without integrity checks.
    • Exploitation: An attacker crafts a malicious serialized payload that, when deserialized, executes arbitrary code on the server, leading to full system compromise.
  • CVE-2025-64328 - Sangoma FreePBX OS Command Injection
    • Vulnerability type: OS command injection via improperly sanitized input fields.
    • Root cause: Certain FreePBX modules concatenate user-supplied strings into shell commands without escaping.
    • Exploitation: An attacker injects shell metacharacters (e.g., ; rm -rf /) into vulnerable parameters, achieving remote code execution with the privileges of the web server.

Impact Analysis

The impact of these flaws varies by product, but each represents a high-severity risk to confidentiality, integrity, and availability (CIA) of affected environments.

  • GitLab SSRF (CVE-2021-39935): Compromise of internal services can lead to credential harvesting, lateral movement, and ransomware deployment. Enterprises that host self-managed GitLab instances-including CI/CD pipelines for critical applications-are especially vulnerable.
  • SolarWinds Web Help Desk (CVE-2025-40551): Successful exploitation grants attackers code execution on ticketing infrastructure, which often has access to privileged network segments and sensitive customer data.
  • Sangoma FreePBX (CVE-2019-19006 & CVE-2025-64328): Telephony systems are a common foothold for espionage and fraud. Unauthorized admin access or command injection can enable call interception, toll fraud, and pivoting to broader network assets.

Given the prevalence of these platforms across federal agencies, health-care providers, universities, and managed service providers, the potential blast radius is extensive. The “high” severity rating reflects both the ease of exploitation (public exploit code for the GitLab SSRF is already circulating) and the critical nature of the assets at risk.

Timeline of Events

  • 2019-2025: Vulnerabilities are discovered, reported, and in some cases patched by vendors. However, many installations remain on legacy versions.
  • Late 2025: Threat-intel feeds begin reporting active exploitation of the SolarWinds Web Help Desk deserialization bug in targeted APT campaigns.
  • January 2026: Multiple intrusion-detection systems (IDS) log SSRF attempts against public GitLab instances, confirming real-world abuse of CVE-2021-39935.
  • February 3, 2026: CISA officially adds the four CVEs to the KEV catalog, issuing a public alert and urging immediate remediation.
  • February 5, 2026: This blog post is published to disseminate technical details and actionable steps.

Mitigation/Recommendations

Organizations should treat the KEV additions as “must-fix” items and execute the following steps without delay:

  1. Patch Immediately: Apply the latest vendor-released patches. For GitLab, upgrade to 15.11.4 or later, which resolves CVE-2021-39935. For SolarWinds Web Help Desk, install version 12.5.3 or newer. For FreePBX, upgrade to the 16.x series that addresses both CVE-2019-19006 and CVE-2025-64328.
  2. Validate Versions: Conduct an inventory sweep to confirm no legacy or unpatched instances remain, especially in segmented network zones.
  3. Network Segmentation: Isolate CI/CD runners, telephony management consoles, and help-desk portals from sensitive internal services. Use firewalls to block outbound traffic to non-whitelisted IP ranges.
  4. Input Sanitization & WAF Rules: Deploy a Web Application Firewall (WAF) with rules that block outbound requests to internal IP ranges (mitigating SSRF) and reject suspicious serialized payloads.
  5. Monitoring & Logging: Enable detailed logging for authentication attempts, deserialization errors, and command-execution events. Correlate logs with threat-intel feeds for early detection of exploitation attempts.
  6. Incident Response Preparedness: Update playbooks to include detection signatures for these CVEs. Conduct tabletop exercises focused on SSRF and deserialization abuse scenarios.

For organizations bound by BOD 22-01, the remediation deadline aligns with the standard 30-day window after the KEV entry date. Non-federal entities should adopt the same cadence to stay ahead of attackers.

Real-World Impact

Consider a mid-size health-care provider that runs an on-premises GitLab instance for CI/CD pipelines handling patient-record processing scripts. An SSRF exploit could allow an adversary to reach the internal 169.254.169.254 metadata service on cloud-hosted workloads, harvest IAM credentials, and exfiltrate protected health information (PHI), triggering HIPAA violations and hefty fines.

Similarly, a municipal IT department using SolarWinds Web Help Desk for citizen ticketing could see attackers gain remote code execution, install ransomware, and encrypt ticketing databases. The resulting service outage would cripple citizen-service operations and potentially expose personal data.

In the telecom sector, compromised FreePBX systems have historically been leveraged for toll-fraud and call-spoofing campaigns, affecting both revenue and brand reputation.

Expert Opinion

From a strategic standpoint, the inclusion of these four CVEs underscores a broader trend: threat actors are gravitating toward “low-hanging fruit” that resides in widely deployed, often under-maintained software stacks. The SSRF issue in GitLab, despite being disclosed in 2021, continues to be exploited because many organizations lag in patch adoption-a symptom of fragmented change-management processes.

Furthermore, the SolarWinds deserialization flaw illustrates how legacy Java-based web applications remain a fertile ground for code-execution attacks. Enterprises should accelerate their migration to more modern, sandboxed runtimes or, at a minimum, enforce strict deserialization hardening (e.g., using ObjectInputFilter).

For the federal community, BOD 22-01’s mandatory remediation timeline is a welcome enforcement mechanism, but the private sector must internalize the same discipline. The KEV catalog should become a “daily-check” item in vulnerability-management dashboards, not an occasional compliance exercise.

Finally, I recommend that organizations adopt a “kill-chain aware” patching strategy: prioritize KEV entries (active exploitation), then move to high-CVSS scores, and finally address lower-severity findings. This layered approach maximizes risk reduction while respecting resource constraints.