CISA Flags Actively Exploited Vulnerabilities in FreePBX, GitLab, and SolarWinds Web Help Desk, Urges Immediate Patching

CyberDefender 4 mins0

CVE-2019-19006 — Sangoma FreePBX Improper Authentication

  • Affected product: Sangoma FreePBX (multiple versions, including 13.x, 14.x, and 15.x)
  • Vulnerability type: Improper authentication / access control
  • Impact:
    An unauthenticated attacker can bypass the login mechanism and gain administrative access to the FreePBX web interface. This effectively gives full control over the PBX system.
  • Severity: High to Critical (historical CVSS ~9.x)
  • Notes:
    Although disclosed in 2019, this issue continues to appear in exposed environments and has been observed in exploitation activity, which is why it remains relevant today.

CVE-2021-39935 — GitLab SSRF via CI Lint API

  • Affected product: GitLab Community and Enterprise Editions (roughly versions 10.5 through parts of the 14.x series)
  • Vulnerability type: Server-Side Request Forgery (SSRF)
  • Impact:
    An unauthenticated attacker can abuse the CI Lint API to force the GitLab server to make outbound requests to internal or arbitrary external systems. This can expose internal services and be chained with other attacks.
  • Severity: Medium to High (CVSS typically ~6.8–7.5)
  • Root cause:
    Insufficient validation of user-supplied input before it is used to initiate backend network requests.

CVE-2025-40551 — SolarWinds Web Help Desk Insecure Deserialization

  • Affected product: SolarWinds Web Help Desk (versions prior to 2026.1)
  • Vulnerability type: Deserialization of untrusted data (CWE-502)
  • Impact:
    An unauthenticated attacker can send a specially crafted serialized Java object to the application, leading to remote code execution (RCE) on the underlying server.
  • Severity: Critical (CVSS ~9.8)
  • Status: Actively exploited in the wild
  • Mitigation:
    Upgrade immediately to Web Help Desk 2026.1 or later and restrict network exposure of the application wherever possible.

CVE-2025-64328 — Sangoma FreePBX OS Command Injection

  • Affected product: Sangoma FreePBX (Endpoint Manager module)
  • Vulnerability type: OS command injection
  • Authentication required: Yes
  • Impact:
    An authenticated attacker can inject arbitrary operating system commands through vulnerable functions (such as testconnection), resulting in command execution with elevated privileges and potential full system compromise.
  • Severity: High (CVSS ~8.6)
  • Notes:
    While authentication is required, this vulnerability becomes especially dangerous if admin credentials are stolen, reused, or obtained via another flaw (such as CVE-2019-19006).

Recommended Actions

For all four vulnerabilities:

  • Apply vendor patches and upgrades immediately
  • Restrict access to management interfaces (PBX, GitLab, Web Help Desk) using firewalls, VPNs, or IP allow-listing
  • Monitor logs for indicators of compromise, especially signs of SSRF or command execution
  • Isolate or decommission legacy systems that cannot be patched

These issues are tracked in the CISA Known Exploited Vulnerabilities Catalog, which signals a strong likelihood of exploitation and mandates rapid remediation for U.S. federal systems.

CyberDefender