Attacks on Solarwinds Web Help Desk, FreePBX and Gitlab observed

The US cybersecurity agency CISA has issued a warning about ongoing attacks on security vulnerabilities in Solarwinds Web Help Desk, FreePBX, and Gitlab. In some cases, the vulnerabilities are significantly older. IT managers should apply the available updates at this point at the latest.

In its security advisory, CISA is as usual reticent with further information about the attacks. However, the agency names the attacked vulnerability and the software in which it is located. Accordingly, attacks have been observed on a security vulnerability in Solarwinds Web Help Desk (WHD) that became known last week. In the version announcement for the current version 2026.1 of WHD, Solarwinds names several security vulnerabilities that are closed with it. Malicious actors are said to have targeted one of these vulnerabilities (CVE-2025-40551, CVSS 9.8, Risk “critical”): WHD performs deserialization of untrusted data, allowing attackers to execute malicious code from the network, as they can start commands on the host system – and to make matters worse, without prior authentication.

The open-source telephony software FreePBX from Sangoma struggled with faulty access controls in 2019 (CVE-2019-19006, CVSS 9.8, Risk “critical”) and in November last year with a vulnerability in the Endpoint Manager, allowing authenticated attackers to gain remote access as Asterisk user to vulnerable systems (CVE-2025-64328, CVSS 8.8, Risk “high”). According to CISA, these two security vulnerabilities have been the subject of recent attacks on the internet.

Third attacked software

In 2021, GitLab CE/EE patched a security vulnerability that allowed attackers from the network to execute a server-side request forgery attack through the CI-Lint API without prior authentication (CVE-2021-39935, CVSS 7.5, Risk “high”). Attacks on this were also observed on the internet.

CISA does not discuss the extent to which attacks are being carried out on the listed vulnerabilities. There are also no indications of successful attacks or attempted attacks that admins could look for. However, software updates are available, which they should install immediately if they have not already done so.

(dmk)