The US Cyber Security & Infrastructure Security Agency has added four vulnerabilities to its KEV Catalog.
The most severe of them is CVE-2025-40551, an untrusted data deserialisation vulnerability in SolarWinds Web Help Desk. If abused, this could lead to remote code execution, allowing an unauthenticated attacker to run commands on a host device.
The issue was first disclosed by SolarWinds on January 28 – one of six disclosed on that date – and has a worrying CVSS score of 9.8, making it a Critical Severity vulnerability. CVE-2025-40551 impacts SolarWinds Web Help Desk 12.8.8 HF1 and all previous versions, but is fixed in version 2026.1.
Cybersecurity firm Rapid7 noted the possible impact of this vulnerability, along with another SolarWinds bug, in a recent blog post.
“Both CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities that allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads such as arbitrary OS command execution,” Rapid7 said.
“RCE via deserialisation is a highly reliable vector for attackers to leverage, and as these vulnerabilities are exploitable without authentication, the impact of either of these two vulnerabilities is significant.”
CVE-2025-64328 is a High Severity Command Injection vulnerability in FreePBX Endpoint Manager. This was assigned a CVE number in November 2025 but dates back to March of the same year. It impacts versions between 17.0.2.36 and 17.0.3.
“The impact is that any user with access to the FreePBX Administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host,” FreePBX said in November.
“An attacker could leverage this to obtain remote access to the system as the asterisk user.”
CVE-2019-19006 is an Incorrect Access Control vulnerability impacting Sangoma FreePBX 115.0.16.26 & below, 14.0.13.11 & below, and 13.0.197.13 & below. This one dates back to 2019 and has been thoroughly updated.
Finally, CVE-2021-39935 is a Server-Side Request Forgery (SSRF) Vulnerability in GitLab Community and Enterprise Editions.
“An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2,” the vulnerability’s CVE listing, last updated in 2021, says.
“Unauthorised external users could perform Server Side Requests via the CI Lint API.”
This has a CVSS score of 6.8.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.