Emergency Briefing: Five Active Exploitations Added to CISA KEV (Plus a Notepad++ Supply-Chain
Date: 4 February 2026 (Europe/Lisbon)
Five items you should assume are being used against real targets right now.
CISA has added four vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Separately, Notepad++ has disclosed a state-sponsored supply-chain compromise affecting update infrastructure for high-value targets (June–Dec 2025).
If you run any of the affected products, treat this as a 72‑hour operational priority: patch/mitigate, verify exposure, and hunt for signs of compromise.
WHAT’S BEING EXPLOITED (CONFIRMED)
1. SolarWinds Web Help Desk — CVE-2025-40551
• Type: Unauthenticated RCE (deserialization)
• Status: Added to CISA KEV (active exploitation)
• Action: Update to the Jan 28, 2026 release; review logs for unusual process execution / web shell indicators.
• Source: CISA KEV Catalog — https://www.cisa.gov/known-exploited-vulnerabilities-catalog
2. Sangoma FreePBX — CVE-2019-19006
• Type: Authentication bypass
• Status: Added to CISA KEV (active exploitation)
• Action: Patch; review authentication logs for anomalous access patterns.
• Source: CISA KEV Catalog — https://www.cisa.gov/known-exploited-vulnerabilities-catalog
3. GitLab CE/EE — CVE-2021-39935
• Type: Server-side request forgery (SSRF)
• Status: Added to CISA KEV (active exploitation)
• Action: Patch; review outbound/internal request activity from GitLab; watch for metadata/service discovery abuse.
• Source: CISA KEV Catalog — https://www.cisa.gov/known-exploited-vulnerabilities-catalog
4. Sangoma FreePBX — CVE-2025-64328
• Type: OS command injection
• Status: Added to CISA KEV (active exploitation)
• Action: Patch; audit command execution and unusual cron/shell activity.
• Source: CISA KEV Catalog — https://www.cisa.gov/known-exploited-vulnerabilities-catalog
5. Notepad++ — supply-chain compromise (June–Dec 2025)
• Type: Selective redirect of update checks for high-value targets to attacker-controlled servers
• Status: Confirmed by the Notepad++ project; attribution included in their disclosure
• Action: Ensure endpoints are on Notepad++ 8.8.9+; avoid legacy auto-updater; validate software integrity on systems that updated during the affected period.
• Source: Notepad++ disclosure — https://notepad-plus-plus.org/news/hijacked-incident-info-update/
WHAT I’D TELL A CISO TO DO IN THE NEXT 72 HOURS
1. Identify exposure fast
• Do we run SolarWinds Web Help Desk, Sangoma FreePBX, or GitLab (CE/EE)? Are they internet-reachable?
2. Patch / mitigate now (don’t wait for change windows)
• KEV means exploitation is not theoretical. Reduce attack surface immediately.
3. Assume possible compromise and hunt accordingly
• Look for web app exploitation indicators, suspicious auth events (FreePBX), and anomalous internal request patterns (GitLab SSRF).
• For Notepad++, confirm version and integrity; investigate endpoints used by privileged users.
WHY KEV MATTERS
KEV is one of the cleanest “drop everything” signals available: it’s based on observed exploitation, not theoretical risk. Even if you’re not a federal agency, it’s an excellent prioritisation filter.