Here are the CVE updates for the week of February 2nd through the 8th.
🔴 Critical Severity Vulnerabilities
Sangoma FreePBX Improper Authentication Vulnerability (CISA KEV) | CVE-2019-19006
Description:
Sangoma FreePBX includes an incorrect access control vulnerability that affects versions 15.0.16.26 and below, 14.0.13.11 and below, and 13.0.197.13 and below. Because the application does not properly enforce access restrictions, unauthorized users can directly reach protected functionality and sensitive system resources. As a result, attackers can bypass intended security controls and perform actions that should only be available to authenticated or privileged users.
Potential Impacts:
- Unauthorized Access: Attackers can access restricted administrative or system-level functions.
- Privilege Escalation: Improper access enforcement may allow low-privileged users to gain elevated permissions.
- Configuration Manipulation: Attackers can alter critical telephony or system settings without authorization.
- Information Disclosure: Sensitive data, such as configuration files or credentials, may be exposed.
- Service Disruption: Unauthorized actions can negatively affect system availability or VoIP services.
Mitigation Recommendations:
- Apply Updates: Upgrade FreePBX to a version that fully resolves the access control issue.
- Access Hardening: Review all modules and strictly enforce role-based access controls.
- Authentication Enforcement: Ensure all sensitive endpoints consistently require authentication and authorization checks.
- System Auditing: Regularly audit user permissions and review access logs for suspicious activity.
- Security Testing: Conduct periodic security assessments to proactively identify access control weaknesses.
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability (CISA KEV) | CVE-2025-40551
Description:
SolarWinds Web Help Desk contains a deserialization vulnerability that allows remote attackers to execute arbitrary code without authentication. Specifically, the application improperly processes serialized data from untrusted sources. Consequently, attackers can craft malicious payloads that trigger command execution on the host system. If exploited, this flaw can lead to complete server compromise.
Potential Impacts:
- Remote Code Execution: Attackers can directly execute arbitrary system commands.
- Unauthenticated Exploitation: The attack does not require valid user credentials.
- System Compromise: Attackers can gain full control of the Web Help Desk server.
- Data Breach: Sensitive tickets, credentials, and system data may be exposed.
- Lateral Movement: Compromised servers can be used to pivot deeper into the internal network.
Mitigation Recommendations:
- Apply Updates: Upgrade SolarWinds Web Help Desk to the latest patched version.
- Restrict Network Access: Limit service exposure to trusted IP addresses only.
- Input Validation: Enforce strict validation and integrity checks on serialized data.
- Monitoring and Logging: Actively monitor logs for unusual behavior or command execution.
- Security Testing: Perform regular security assessments focused on deserialization risks.
React Native Community CLI OS Command Injection Vulnerability (CISA KEV) | CVE-2025-11953
Description:
The Metro Development Server used by the React Native Community CLI exposes an OS command injection vulnerability because it binds to external network interfaces by default. Moreover, the server includes an endpoint that improperly processes user-supplied input. As a result, unauthenticated attackers can send crafted POST requests that execute arbitrary executables. On Windows systems, attackers can also run shell commands with fully controlled arguments, significantly increasing risk.
Potential Impacts:
- Remote Code Execution: Attackers can execute arbitrary commands or binaries.
- Unauthenticated Access: No authentication is required to exploit the endpoint.
- Full System Compromise: Attackers may completely take over the development machine.
- Credential Exposure: Environment variables, API keys, and credentials may be accessed.
- Lateral Movement: Attackers can leverage compromised systems to reach other resources.
Mitigation Recommendations:
- Restrict Network Exposure: Configure the Metro server to bind only to localhost.
- Apply Updates: Update the React Native CLI and Metro Server immediately.
- Firewall Rules: Block external access to development server ports.
- Secure Development Practices: Avoid running development servers on exposed environments.
- Monitoring and Awareness: Monitor traffic for unauthorized requests and educate developers.
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability (CISA KEV) | CVE-2026-24423
Description:
SmarterTools SmarterMail versions prior to build 9511 suffer from an unauthenticated remote code execution vulnerability in the ConnectToHub API method. Specifically, attackers can redirect SmarterMail to a malicious HTTP server that serves a crafted OS command. When the application processes the response, it executes the command without authentication. Consequently, attackers can gain full control of the mail server.
Potential Impacts:
- Unauthenticated Remote Code Execution: Attackers can run OS-level commands without credentials.
- Server Compromise: Attackers may fully control the SmarterMail server.
- Data Breach: Email content, credentials, and configurations may be exposed or altered.
- Service Disruption: Attackers can delete data or cause denial-of-service conditions.
- Lateral Movement: Compromised servers can facilitate further internal attacks.
Mitigation Recommendations:
- Apply Security Updates: Upgrade SmarterMail to build 9511 or later.
- Restrict API Exposure: Limit access to the ConnectToHub API using firewalls and segmentation.
- Network Monitoring: Monitor outbound connections for suspicious external communication.
- Least Privilege: Run SmarterMail services with minimal required privileges.
- Incident Readiness: Review logs regularly and prepare response procedures.
🟠High Severity Vulnerabilities
GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability (CISA KEV) | CVE-2021-39935: This vulnerability allows external users to abuse the CI Lint API to force GitLab servers to make arbitrary HTTP requests. As a result, attackers can access internal services or sensitive metadata that should remain inaccessible.
Sangoma FreePBX OS Command Injection Vulnerability (CISA KEV) | CVE-2025-64328: A post-authentication command injection flaw in the FreePBX Endpoint Manager filestore module allows authenticated users to inject system commands. Consequently, attackers can gain remote access with asterisk user privileges. Version 17.0.3 resolves this issue.
UTT HiPER 810G Remote Buffer Overflow Vulnerability | CVE-2026-2086: Improper handling of user input in the Management Interface allows remote attackers to trigger a buffer overflow. Because a public exploit exists, attackers can reliably compromise affected devices.
🟡 Medium Severity Vulnerabilities
Totolink WA300 OS Command Injection Vulnerability | CVE-2026-2167: This vulnerability allows remote attackers to inject OS commands through improper validation of the Ipaddr parameter. Moreover, the presence of a public exploit increases the likelihood of active exploitation.
SourceCodester Simple Responsive Tourism Website Cross-Site Scripting (XSS) Vulnerability | CVE-2026-2159: Insufficient input validation in the registration endpoint enables attackers to inject malicious scripts. As a result, attackers can target users remotely and abuse the application if administrators do not patch it.
WuKongOpenSource WukongCRM Improper Authorization Vulnerability | CVE-2026-2141: Improper authorization checks allow attackers to bypass access controls by manipulating crafted requests. Additionally, the availability of a public exploit significantly raises the risk of misuse.