Executive Summary
In February 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation. These vulnerabilities include CVE-2019-19006 and CVE-2025-64328 in Sangoma FreePBX, CVE-2021-39935 in GitLab Community and Enterprise Editions, and CVE-2025-40551 in SolarWinds Web Help Desk. The vulnerabilities range from improper authentication and OS command injection to server-side request forgery and deserialization of untrusted data, posing significant risks to affected systems.
The inclusion of these vulnerabilities in the KEV Catalog underscores the persistent threat posed by unpatched software. Organizations are urged to prioritize remediation efforts to mitigate potential exploitation, as these vulnerabilities are actively targeted by malicious actors.
Why This Matters Now
The addition of these vulnerabilities to the KEV Catalog highlights the ongoing risk of unpatched systems being exploited. Immediate remediation is crucial to prevent potential breaches and maintain system integrity.
Attack Path Analysis
Attackers exploited vulnerabilities in Sangoma FreePBX, GitLab, and SolarWinds Web Help Desk to gain unauthorized access, escalate privileges, move laterally within networks, establish command and control channels, exfiltrate sensitive data, and disrupt services.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited vulnerabilities in Sangoma FreePBX (CVE-2019-19006, CVE-2025-64328), GitLab (CVE-2021-39935), and SolarWinds Web Help Desk (CVE-2025-40551) to gain unauthorized access to systems.
Related CVEs
CVE-2025-64328
CVSS 8.6FreePBX Endpoint Manager versions 17.0.2.36 and above before 17.0.3 contain a post-authentication command injection vulnerability in the filestore module, allowing authenticated users to execute arbitrary commands via the testconnection -> check_ssh_connect() function.
Affected Products:
Sangoma FreePBX Endpoint Manager – 17.0.2.36 and above before 17.0.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Exploit Public-Facing Application
Command and Scripting Interpreter: Unix Shell
Server Software Component: Web Shell
Exploitation for Privilege Escalation
Valid Accounts
Scheduled Task/Job: Cron
Hijack Execution Flow: DLL Side-Loading
Exploitation for Defense Evasion
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face mandatory KEV remediation deadlines under BOD 22-01, with FreePBX and SolarWinds vulnerabilities threatening critical communication infrastructure and network security controls.
Information Technology/IT
Active exploitation of GitLab SSRF and SolarWinds deserialization vulnerabilities creates significant risks for IT service providers managing enterprise development platforms and help desk systems.
Telecommunications
Sangoma FreePBX authentication bypass and command injection vulnerabilities pose severe threats to VoIP infrastructure, enabling lateral movement through encrypted traffic channels and communication systems.
Financial Services
Known exploited vulnerabilities in enterprise software platforms threaten compliance frameworks like PCI DSS, requiring immediate remediation to prevent privilege escalation and data exfiltration attacks.
Sources
- CISA Adds Four Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/02/03/cisa-adds-four-known-exploited-vulnerabilities-catalogVerified
- NVD - CVE-2025-64328https://nvd.nist.gov/vuln/detail/CVE-2025-64328Verified
- FreePBX Security Advisory GHSA-vm9p-46mv-5xvwhttps://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvwVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attackers' ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control channels, exfiltrate data, and disrupt services by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF would likely have constrained unauthorized access by enforcing strict identity-based policies, reducing the attack surface available to exploit vulnerabilities.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely have restricted privilege escalation by enforcing least-privilege access controls, limiting the scope of actions an attacker could perform.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely have limited lateral movement by monitoring and controlling internal traffic, reducing the ability of attackers to access additional systems.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely have detected and constrained command and control channels by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely have restricted data exfiltration by controlling outbound traffic and enforcing strict egress policies.
The deployment of web shells and subsequent service disruptions would likely have been constrained by the cumulative enforcement of CNSF controls, reducing the overall impact of the attack.
Impact at a Glance
Affected Business Functions
- Telephony Services
- VoIP Communications
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of call logs and voice recordings.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities.
- • Utilize Multicloud Visibility & Control to monitor and manage traffic across cloud environments, identifying anomalous interactions.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent unauthorized data exfiltration.
- • Apply Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.
