The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting SolarWinds Web Help Desk (WHD) to its Known Exploited Vulnerabilities (KEV) catalog, flagging it as actively exploited in attacks.
The vulnerability, tracked as CVE-2025-40551 (CVSS score: 9.8), is a untrusted data deserialization vulnerability that could pave the way for remote code execution.
"SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine," CISA said. "This could be exploited without authentication."
SolarWinds issued fixes for the flaw last week, along with CVE-2025-40536 (CVSS score: 8.1), CVE-2025-40537 (CVSS score: 7.5), CVE-2025-40552 (CVSS score: 9.8), CVE-2025-40553 (CVSS score: 9.8), and CVE-2025-40554 (CVSS score: 9.8), in WHD version 2026.1.
There are currently no public reports about how the vulnerability is being weaponized in attacks, who may be the targets, or the scale of such efforts. It's the latest illustration of how quickly threat actors are moving to exploit newly disclosed flaws.
Also added to the KEV catalog are three other vulnerabilities -
- CVE-2019-19006 (CVSS score: 9.8) - An improper authentication vulnerability in Sangoma FreePBX that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX administrator
- CVE-2025-64328 (CVSS score: 8.6) - An operating system command injection vulnerability in Sangoma FreePBX that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function and potentially obtain remote access to the system as an asterisk user
- CVE-2021-39935 (CVSS score: 7.5/6.8) - A server-side request forgery (SSRF) vulnerability in GitLab Community and Enterprise Editions that could allow unauthorized external users to perform Server Side Requests via the CI Lint API
It's worth noting that the exploitation of CVE-2021-39935 was highlighted by GreyNoise in March 2025, as part of a coordinated surge in the abuse of SSRF vulnerabilities in multiple platforms, including DotNetNuke, Zimbra Collaboration Suite, Broadcom VMware vCenter, ColumbiaSoft DocumentLocator, BerriAI LiteLLM, and Ivanti Connect Secure.
By contrast, the abuse of CVE-2019-19006 dates back to November 2020, when Check Point disclosed details of a cyber fraud operation codenamed INJ3CTOR3 that leveraged the flaw to compromise VoIP servers and sell the access to the highest bidders. As recently as last week, Fortinet revealed the threat actor behind the activity has weaponized CVE-2025-64328 starting early December 2025 to deliver a web shell codenamed EncystPHP.
"In 2022, the threat actor shifted its focus to the Elastix system via CVE-2021-45461," security researcher Vincent Li said. "These incidents begin with the exploitation of a FreePBX vulnerability, followed by the deployment of a PHP web shell in the target environments."
Once launched, EncystPHP attempts to collect FreePBX database configuration, sets up persistence by creating a root-level user named newfpbx, resets multiple user account passwords, and modifies the SSH "authorized_keys" file to ensure remote access. The web shell also exposes an interactive interface that supports several predefined operational commands.
This includes file system enumeration, process inspection, querying active Asterisk channels, listing Asterisk SIP peers, and retrieving multiple FreePBX and Elastix configuration files.
"By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host and initiating outbound call activity through the PBX environment," Li explained.
"Because it can blend into legitimate FreePBX and Elastix components, such activity may evade immediate detection, leaving affected systems exposed to well-known risks, including long-term persistence, unauthorized administrative access, and abuse of telephony resources."
Federal Civilian Executive Branch (FCEB) agencies are required to fix CVE-2025-40551 by February 6, 2026, and the rest by February 24, 2026, pursuant to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities.
