The Cybersecurity and Infrastructure Security Agency has officially added a critical SolarWinds Web Help Desk flaw to its list of known exploited vulnerabilities due to active attacks. This specific security hole allows unauthenticated attackers to execute remote commands by exploiting a weakness in how the system handles untrusted data.

The Cybersecurity and Infrastructure Security Agency recently expanded its catalog of exploited vulnerabilities by including a severe flaw in the SolarWinds Web Help Desk software. This vulnerability, which carries a nearly perfect severity rating, stems from an issue where the system incorrectly processes data during deserialization. Because this flaw can be exploited without any prior authentication, it poses a significant risk by allowing attackers to gain remote control over host machines and execute unauthorized commands.

In response to these emerging threats, SolarWinds released a series of patches last week to address this critical issue along with several other high-severity vulnerabilities in its latest software version. While the agency has confirmed that the flaw is being weaponized in the wild, specific details regarding the identity of the attackers or the breadth of their operations remain undisclosed. This rapid transition from disclosure to exploitation highlights the speed at which modern threat actors capitalize on newly identified software weaknesses.

Beyond the SolarWinds incident, the government has also flagged vulnerabilities affecting GitLab and Sangoma FreePBX systems. The GitLab issue involves a server-side request forgery flaw that was notably part of a wider trend of similar attacks observed earlier in the year. Meanwhile, the flaws in Sangoma FreePBX have a long history of abuse, with one dating back several years and being used in organized cyber fraud operations to compromise voice-over-IP servers for profit.

Recent security research indicates that attackers are now using a new command injection flaw in FreePBX to deploy a specialized web shell known as EncystPHP. This malicious tool is designed to collect database configurations, establish persistent access by creating new root users, and modify system keys to ensure the attackers can return at will. The web shell provides an interactive interface that allows intruders to monitor active communication channels and extract sensitive configuration files from the compromised environment.

Because these tools operate within administrative contexts, they often blend in with legitimate system components, making them difficult for standard security measures to detect immediately. To mitigate these risks, federal agencies have been ordered to apply the necessary security updates for the SolarWinds flaw by early February, with deadlines for the remaining vulnerabilities set for later in the month. These mandates serve as a critical reminder for all organizations to prioritize patching systems that are actively being targeted by malicious actors.

Source: CISA Adds Actively Exploited Solarwinds Web Help Desk RCE To Kev Catalog