Emergency Briefing: 5 Actively Exploited Vulns — SolarWinds WHD (Feb 6) + Cisco UC (Feb 11)
Emergency Briefing: 5 Actively Exploited Vulns — SolarWinds WHD (Feb 6) + Cisco UC (Feb 11)
CISO Intelligence Emergency Briefing - Draft
Executive Summary
Multiple actively exploited vulnerabilities are driving near-term remediation deadlines for enterprises and federal agencies.
Key deadlines:
SolarWinds Web Help Desk (CVE-2025-40551): Feb 6, 2026
Cisco Unified Communications (CVE-2026-20045): Feb 11, 2026
This briefing focuses on what to patch/mitigate immediately, plus a small set of legacy issues currently being hit in active campaigns.
Critical Threats Requiring Immediate Action
1. Cisco Unified Communications Remote Code Execution
**CVE-2026-20045** | CVSS: 8.2 | **Confirmed** Active Exploitation
Impact: Unauthenticated remote code execution with privilege escalation to root
Affected: Cisco Unified CM, CM SME, IM&P, Unity Connection, Webex Calling Dedicated Instance
Status: CISA confirmed active exploitation in the wild
Deadline: February 11, 2026 for federal agencies
Mechanism: Improper validation of HTTP requests enables command execution
Source: [Cisco Security Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b) | [CISA KEV Entry](https://www.cisa.gov/news-events/alerts/2026/01/21/cisa-adds-one-known-exploited-vulnerability-catalog)Cisco Security Advisory | CISA KEV Entry*
2. SolarWinds Web Help Desk Remote Code Execution
**CVE-2025-40551** | CVSS: 9.8 | **Confirmed** Active Exploitation
Impact: Unauthenticated remote code execution via deserialization vulnerability
Affected: SolarWinds Web Help Desk (fixed in version 2026.1)
Status: CISA flagged as actively exploited, added to KEV February 3, 2026
Deadline: February 6, 2026 for federal agencies (immediate priority)
Risk: Enterprise IT service management platform with backend integration access
Source: [CISA KEV Alert](https://www.cisa.gov/news-events/alerts/2026/02/03/cisa-adds-four-known-exploited-vulnerabilities-catalog)CISA KEV Alert*
3. Fortinet FortiCloud SSO Authentication Bypass
**CVE-2026-24858** | **Confirmed** Known Exploitation
Impact: A malicious actor with a FortiCloud account + registered device can authenticate to other organizations’ devices if FortiCloud SSO is enabled
Affected: FortiOS, FortiManager, FortiWeb, FortiProxy, FortiAnalyzer (FortiCloud SSO enabled)
Status: Added to CISA KEV catalog (Jan 27, 2026); federal deadline Jan 30, 2026 (recently passed)
Risk: Network/security infrastructure compromise: unauthorized config changes, account creation, VPN changes
Primary sources: [Fortinet PSIRT FG-IR-26-060](https://fortiguard.fortinet.com/psirt/FG-IR-26-060) | [CISA guidance](https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026)Fortinet PSIRT FG-IR-26-060 | CISA guidance*
4. Campaign exploitation: don’t ignore legacy exposure
In parallel with the high-severity vendor issues above, CISA KEV entries also reflect ongoing campaigns against older-but-still-common software:
FreePBX (CVE-2019-19006 / CVE-2025-64328) — ongoing exploitation activity reported in KEV updates
GitLab (CVE-2021-39935) — coordinated exploitation activity noted by multiple sources
If these are internet-facing in your environment, treat them as quick-win hardening/hunt items.
Source: [CISA Feb 3, 2026 KEV update](https://www.cisa.gov/news-events/alerts/2026/02/03/cisa-adds-four-known-exploited-vulnerabilities-catalog)CISA Feb 3, 2026 KEV update*
Immediate Actions Required (what to do today)
1. Inventory exposure
UC/Comms owners: Cisco Unified CM / Unity / IM&P / Webex Calling Dedicated Instance
ITSM owners: SolarWinds Web Help Desk
Network/SecOps: Fortinet estate with FortiCloud SSO enabled
2. Patch / mitigate by deadline
SolarWinds WHD (CVE-2025-40551): patch to fixed version (2026.1) by Feb 6
Cisco UC (CVE-2026-20045): apply Cisco fixes by Feb 11
3. Fortinet containment
If you can’t fully remediate immediately, disable FortiCloud SSO where feasible and review for unauthorized configuration changes / new accounts / VPN changes.
4. Hunt quickly for the “campaign” items
If you run FreePBX or GitLab, treat the KEV notes as a prompt to check IOCs and tighten internet exposure.
Intelligence Assessment
The clustering of critical vulnerabilities from major infrastructure vendors suggests either coordinated disclosure timing or accelerated threat actor vulnerability research efforts. The mix of recent zero-days (Cisco, SolarWinds) and weaponized legacy vulnerabilities (FreePBX, GitLab) indicates both opportunistic and persistent threat actor activity.
Organizations should expect continued pressure on communications, IT service management, and network security infrastructure through February 2026.
---
Draft prepared: February 5, 2026, 10:00 AM Europe/Lisbon*
Sources verified from primary vendor advisories and CISA official communications*