On February 3, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) Catalog with four significant vulnerabilities—each backed by evidence of active exploitation or credible risk in the wild. These catalog additions signal urgent patching and mitigation priorities for defenders across government and industry.
The KEV Catalog is a curated list of Common Vulnerabilities and Exposures (CVEs) that CISA has identified as being actively targeted or abused by adversaries. Federal agencies in the United States are required to address these vulnerabilities under Binding Operational Directive 22-01, and private sector security teams should treat them as high-priority risk controls.
Let’s take a closer look at the four CVEs added:
CVE-2025-40551 — SolarWinds Web Help Desk Untrusted Deserialization (RCE)
Severity: Critical, CVSS-9.8
Impact: Remote Code Execution (RCE) without authentication
This vulnerability in SolarWinds Web Help Desk stems from deserialization of untrusted data, allowing an unauthenticated attacker to execute arbitrary commands on the server. Deserialization vulnerabilities in Java-based services remain a potent risk because attackers can craft malicious data that leads to full system compromise.
SolarWinds has released a patched version (2026.1), and organizations using Web Help Desk should update immediately, given the exploitability and severity of this flaw.
CVE-2019-19006 — Sangoma FreePBX Improper Authentication
Severity: Critical, CVSS-9.8
Impact: Authentication bypass leading to administrative access
Originally disclosed in 2019, this issue affects multiple versions of Sangoma FreePBX due to improper authentication controls. An attacker can bypass the login mechanism entirely and gain full administrative privileges on the PBX interface.
Despite being a historical CVE, recent evidence of exploitation prompted its addition to the KEV Catalog. This underscores the risk that longstanding vulnerabilities can remain exploitable years after disclosure—especially in widely deployed systems.
CVE-2025-64328 — FreePBX Endpoint Manager OS Command Injection
Severity: High, CVSS-8.6
Impact: Authenticated OS command injection
This flaw resides in the FreePBX Endpoint Manager and allows an authenticated user to inject OS-level commands through the testconnection function. Once executed at the system level (typically as the asterisk user), this can lead to full system compromise or deeper network pivoting.
Because this vulnerability still requires credentials to authenticate, its exploitability is slightly lower than credential-less RCE. However, for environments where an attacker can obtain a valid session (via phishing, credential theft, etc.), the risk remains significant.
CVE-2021-39935 — GitLab Server-Side Request Forgery (SSRF)
Severity: High, CVSS-8.5
Impact: SSRF allowing unauthorized backend requests
This vulnerability affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions prior to several fixed releases. It allows an unauthenticated external actor to abuse the CI Lint API to perform server-side request forgery (SSRF).
SSRF vulnerabilities can enable attackers to make the server perform requests on their behalf, potentially accessing internal resources or triggering additional chained exploits. This type of flaw is especially valuable in broader exploitation campaigns.
What This Means for Your Security Program
- Immediate Prioritization: All CVEs in the KEV Catalog should be treated as urgent patching items. Federal agencies have strict deadlines; private organizations should align their vulnerability management accordingly.
- Defense-In-Depth: Beyond patching, implement compensating controls such as network segmentation, authentication hardening, Web Application Firewalls (WAFs), and monitoring for exploitation indicators.
- Legacy Systems Risk: The inclusion of older vulnerabilities like CVE-2019-19006 highlights that unpatched legacy systems can still be actively targeted.
- Threat Visibility: Because these vulnerabilities are observed being exploited (or have strong evidence pointing to exploitation activities), they should inform threat modeling, red-team exercises, and incident response planning.
Keeping pace with the ever-evolving KEV Catalog is a cornerstone of resilient cyber defense. By understanding what is being targeted in the wild and how these vulnerabilities operate, organizations can reduce their attack surface and improve risk mitigation outcomes.
