CISA KEV Update: Patch Four Exploited CVEs Now Under BOD 22-01

CISA’s latest KEV update elevates four distinct and high-impact vulnerabilities—two in Sangoma FreePBX, one in GitLab, and one in SolarWinds Web Help Desk—into the Known Exploited Vulnerabilities (KEV) Catalog, signaling credible evidence of active exploitation and forcing an operational prioritization under Binding Operational Directive (BOD) 22‑01. This advisory is a blunt reminder that attackers continue to weaponize both old, widely deployed systems and newer product flaws, and that defenders must treat KEV listings as immediate, actionable priorities rather than optional housekeeping. www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities?utm_source=openai))

---

Background / Overview​

The Cybersecurity and Infrastructure Security Agency’s KEV Catalog is a curated, living list of Common Vulnerabilities and Exposures (CVEs) that CISA has verified are being actively exploited in the wild. The Catalog exists to force rapid, prioritized remediation in the Federal Civilian Executive Branch (FCEB) through BOD 22‑01, but its practical effect extends far beyond federal networks: private-sector and critical-infrastructure operators rely on the KEV list as an early-warning, operational triage tool. BOD 22‑01 requires agencies to remediate KEV-listed vulnerabilities on compressed timelines and explains the methodology CISA uses to determine inclusion.
This KEV addition is notable because it mixes vulnerabilities spanning multiple years, software generations, and attack categories:

• An older but still widespread authentication-bypass in Sangoma FreePBX (CVE‑2019‑19006).
• A multi-version Server‑Side Request Forgery (SSRF) in GitLab’s CI Lint API (CVE‑2021‑39935).
• A recent, high‑severity deserialization flaw in SolarWinds Web Help Desk that can lead to remote code execution (CVE‑2025‑40551).
• A post‑authentication command‑injection in FreePBX Endpoint Manager that allows authenticated users to run OS commands (CVE‑2025‑64328).

Each of these was added because of evidence showing exploitation or credible, reliable reporting of in‑the‑wild abuse—exactly the threshold CISA uses for KEV entries.

---

Why these four matter: short technical snapshots​

CVE‑2019‑19006 — Sangoma FreePBX: Improper Authentication​

• What it is: An incorrect access control / authentication bypass in Sangoma FreePBX (affecting older 13.x, 14.x, 15.x builds) that can let a remote unauthenticated attacker bypass admin authentication and access administrative functions.
• Why it hurts: FreePBX is a widely deployed voice‑platform control panel. Admin access provides immediate control over telephony configuration, call routing, voicemail, and potentially access to voice recordings. Attackers with admin access can pivot into deeper parts of infrastructure or use voice systems for fraud and persistence.

CVE‑2021‑39935 — GitLab CE/EE: SSRF via CI Lint API​

• What it is: A Server‑Side Request Forgery (CWE‑918) that allows unauthorized external users to make server‑side HTTP requests through GitLab’s CI Lint API in affected versions (ranges beginning with 10.5 up to certain 14.x releases). Attackers can use SSRF to reach internal services, access metadata endpoints, or move laterally within an environment.
• Why it hurts: GitLab is often exposed on development networks and can be trusted by internal services. SSRF affords attackers a way to abuse that trust to query internal infrastructure and potentially access credentials, metadata services, or internal management APIs.

CVE‑2025‑40551 — SolarWinds Web Help Desk: Deserialization of Untrusted Data​

• What it is: An untrusted data deserialization flaw in SolarWinds Web Help Desk that can lead to remote code execution without authentication. The vulnerability has been scored as highly severe by independent trackers and vendor advisories, and NVD records indicate confirmed vendor-sourced reports.
• Why it hurts: SolarWinds products are frequently used in IT service and asset management; a remote, unauthenticated RCE in such a product can be a very high-value target for ransomware groups, espionage actors, or supply‑chain attacks. The ability to run arbitrary commands on the host gives attackers immediate capability to install backdoors, exfiltrate data, or pivot.

CVE‑2025‑64328 — FreePBX Endpoint Manager: Authenticated OS Command Injection​

• What it is: A post‑authentication command injection vulnerability in the FreePBX Endpoint Manager’s filestore module (testconnection -> check_ssh_connect()). It allows an authenticated, known user to inject OS commands that execute as the asterisk user; fixed in 17.0.3.
• Why it hurts: Although authenticated, the flaw is dangerous because many deployments use shared or weak credentials, and attackers often obtain valid admin credentials via phishing, credential stuffing, or reuse. Once authenticated, command injection provides complete lateral control over the voice server and a foothold in the organization’s internal network.

---

Cross‑verification and evidence base​

CISA’s KEV decisions are intentionally conservative and are based on reliable evidence of exploitation; when CISA adds a CVE to KEV it typically references vendor advisories, threat intelligence reports, or observed active exploitation. For this set:

• The FreePBX CVE from 2019 has vendor documentation and independent vulnerability trackers corroborating the authentication bypass and its severity.
• GitLab’s SSRF is documented in CVE trackers, vendor posts, and distribution security advisories (Ubuntu, Debian, GitLab’s own CVE repo). The vulnerability affects multiple GitLab version ranges and has been widely discussed and patched in affected lines.
• SolarWinds’ CVE shows up in NVD and in vendor tracking (SolarWinds advisory entries are referenced from NVD). NVD and independent aggregators list RCE risk tied to deserialization.
• The FreePBX 2025 command‑injection listing is present in NVD/OSV and has associated GitHub advisory and module-level code references indicating the precise vulnerable function.

Where public, vendor advisories and NVD records together provide the most load‑bearing confirmations for each CVE; these are the authoritative technical references defenders should consult first.

---

Tactical impact and likely attacker goals​

Attackers exploit these classes of vulnerabilities for a predictable set of objectives:

• Command injection and deserialization RCE (SolarWinds, FreePBX command injection) enable immediate code execution on hosts, giving attackers the ability to install ransomware, pivot to rails on the corporate network, or persist in vendor management systems.
• Authentication bypasses (FreePBX 2019) equate to unauthorized admin access—a high-value outcome that often allows configuration changes, data exfiltration, and the seeding of additional access tokens.
• SSRF (GitLab) is an information-gathering enabler that helps attackers reach internal-only services (e.g., cloud metadata endpoints), which can rapidly escalate an attack to cloud account takeover or lateral movement.

Taken together, this KEV batch is meaningful because it combines both unauthenticated, high‑impact remote execution and authenticated-but-critical local command injection plus an SSRF that aids reconnaissance—exactly the toolkit modern adversaries need to convert an initial foothold into a full compromise.

---

Immediate remediation and detection guidance (operational checklist)​

This is a non‑exhaustive, prioritized checklist defenders should act on immediately after a KEV addition.

• Inventory and scope
• Identify all instances of FreePBX (including Endpoint Manager modules), GitLab servers, and SolarWinds Web Help Desk in your environment. Include cloud-hosted and contractor/third‑party instances.
• Apply vendor fixes or mitigations
• FreePBX: Upgrade to the fixed versions (check module release notes and FreePBX security advisories; the 2019 flaw has vendor updates historically, and the Endpoint Manager injection is fixed in 17.0.3).
• GitLab: Upgrade to a patched release per vendor guidance (affected versions are charted in NVD and GitLab advisories). Restrict or firewall CI Lint API access until patched.
• SolarWinds WHD: Apply the vendor security advisory or patch immediately; treat affected hosts as high-priority for patching.
• Temporary isolation and network controls
• If patches cannot be applied immediately, isolate vulnerable systems from high‑value networks, tighten access controls, and block external access to management interfaces.
• Credentials and session hygiene
• Rotate credentials for administrative accounts and invalidate stale sessions. Enforce MFA where available and audit sudo/privileged operation logs.
• Detection and threat hunting
• Hunt for indicators of compromise (web logs, unusual outbound HTTP requests, unexpected SSH or shell commands from web processes, suspicious processes spawned by Web Help Desk or FreePBX daemons).
• For SSRF: look for unexpected server-side outbound requests to internal IP ranges or cloud metadata endpoints.
• Apply layered mitigations
• WAF rules to block suspicious payloads, application-level input validation, and limited service exposure (only allow management consoles from controlled admin networks).
• Communication and reporting
• If you are a federal agency, follow BOD 22‑01 remediation and reporting timelines. Private organizations should document mitigation steps and consider notifying customers or partners if compromise is suspected.

Short, prioritized action reduces the attack surface and buys time for surgical patching.

---

Detection signatures and red flags to hunt for​

• Unexpected inbound requests to admin endpoints followed by changes in configuration files (FreePBX).
• Outbound HTTP/HTTPS requests from application hosts to internal IP ranges or cloud metadata addresses (169.254.169.254 for AWS/GCP/Azure metadata), indicating SSRF exploitation.
• New or unexpected processes spawned by Web Help Desk or asterisk processes, suspicious crontab entries, or files placed in webroot directories.
• Authentication anomalies: multiple failed logins followed by session token creation, or logins from unusual IP ranges.
• Signs of code deserialization or malformed object payloads in request logs—look for unusual serialized blobs or base64 payloads reaching management endpoints.

Create tailored detection queries in your EDR and SIEM systems and prioritize alerts related to these behaviors.

---

Policy and operational implications: what BOD 22‑01 means here​

BOD 22‑01 is the enforcement backbone that turns CISA’s KEV catalog from a list into operational obligation for FCEB agencies: once a CVE enters KEV, federal agencies must remediate by the due date or formally isolate affected assets. That directive matters because it compresses remediation calendars and shifts resources away from lower‑priority vulnerabilities to those proven to be exploited. For private-sector operators, the KEV listing is an actionable risk signal—even when no federal mandate exists—because the same adversaries that probe federal systems target the private sector. The KEV mechanism has repeatedly shown value by focusing scarce patching capacity on true, present danger.

---

Strengths, concerns, and gaps — critical analysis​

Strengths​

• KEV’s operational focus forces rapid action on real-world threats. That reduces dwell time for adversaries and aligns finite patching resources with the highest impact risks.
• Public, consistent publishing gives defenders a shared situational picture and enables automated vulnerability management tools to surface real-time priorities.

Concerns and potential risks​

• Over-reliance on KEV alone can create blind spots. KEV lists only those vulnerabilities for which CISA has reliable evidence of exploitation. Attackers will continue to exploit unlisted flaws, and defenders must maintain robust scanning and patch posture beyond KEV.
• KEV-driven priorities can overwhelm small IT teams when multiple high‑priority CVEs are added in short periods; the operational strain can lead to misapplied fixes or incomplete mitigations.
• The presence of both legacy and recent CVEs in the KEV set underlines a perennial problem: poor asset inventory and legacy exposure. Organizations with undocumented appliances and unmanaged voice infrastructure are particularly at risk.

Technical gaps worth noting​

• Some KEV entries are for authenticated vulnerabilities (like CVE‑2025‑64328). Those are often dangerous precisely because attackers frequently obtain valid credentials through other means (phishing, credential stuffing); defenders must guard identity and session management as strictly as they guard the code itself.
• Eventualities around supply‑chain and deserialization RCEs (SolarWinds) highlight that upstream vendor fixes are necessary but not sufficient—runtime protections and network‑level isolation still matter.

---

Longer‑term recommendations (beyond immediate patching)​

• Build and maintain a real‑time asset inventory that includes embedded and voice appliances (FreePBX), internal developer tools (GitLab), and third‑party helpdesk/management products (SolarWinds). Inventory is the baseline for any remediation program.
• Enforce strong identity hygiene: MFA on all admin interfaces, strict password policies, rotation of service credentials, and least privilege for service accounts.
• Segment networks so that management consoles and telecom appliances cannot be trivially used as pivot points into higher-value systems.
• Adopt a layered detection posture: WAF, EDR, network telemetry, and application logging—then practice triage and automated patching workflows so that KEV entries are absorbed into operations quickly and reliably.
• Invest in incident response playbooks that specifically address common KEV categories (SSRF, deserialization RCE, command injection, and authentication bypasses), including rapid containment steps and forensic evidence preservation.

---

Final takeaways for IT leaders and security practitioners​

• Treat KEV entries as urgent. Whether you are a federal agency bound by BOD 22‑01 or a private organization, the operational evidence behind KEV is purposeful—these are vulnerabilities adversaries are actively exploiting. Prioritize inventory, apply vendor fixes or mitigations, and isolate if you cannot patch immediately.
• Do not confuse “old” with “safe.” The KEV list routinely includes legacy CVEs (such as CVE‑2019‑19006) when attackers rediscover and weaponize them; legacy systems remain a persistent enterprise risk.
• Combine rapid tactical response with structural investments: identity safety, network segmentation, and robust telemetry are the defenses that reduce the blast radius when zero‑day or known exploited vulnerabilities are announced.

CISA’s KEV addition is both a warning and an operational playbook: act fast, act deliberately, and assume the adversary will try to exploit every gap you leave unpatched or misconfigured.

---

Conclusion
This KEV update—mixing FreePBX authentication and command injection issues, GitLab SSRF, and a SolarWinds deserialization RCE—is a practical case study in modern attack economics: adversaries mix reconnaissance (SSRF), privilege escalation (authentication bypass), and remote execution (deserialization, command injection) to escalate incidents quickly. For defenders, the prescription remains the same but urgent: find the affected assets, apply vendor fixes now, tighten access to management interfaces, hunt actively for exploitation indicators, and harden identity and network controls to blunt future attempts. The cost of inaction is high; the window for remediation, once a KEV listing appears, is intentionally short. Make it count.

---

Source: CISA CISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA