--===============0498958697901656220==
Content-Type: multipart/alternative; boundary="===============4255065218965693485=="
MIME-Version: 1.0
--===============4255065218965693485==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Cybersecurity and Infrastructure Security Agency (CISA)
You are subscribed to Cybersecurity Advisories for Cybersecurity and Infras= tructure Security Agency. This information has recently been updated and is=
now available.
CISA Adds Four Known Exploited Vulnerabilities to Catalog [
https://www.cis= a.gov/news-events/alerts/2026/02/03/cisa-adds-four-known-exploited-vulnerab= ilities-catalog ] 02/03/2026 1:30 PM EST=20
CISA has added four new vulnerabilities to its Known Exploited Vulnerabilit= ies (KEV) Catalog [
https://www.cisa.gov/known-exploited-vulnerabilities-ca= talog ], based on evidence of active exploitation.
* CVE-2019-19006 [
https://www.cve.org/CVERecord?id=3DCVE-2019-19006 ] Sa= ngoma FreePBX Improper Authentication Vulnerability=20
* CVE-2021-39935 [
https://www.cve.org/CVERecord?id=3DCVE-2021-39935 ] Gi= tLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) V= ulnerability=20
* CVE-2025-40551 [
https://www.cve.org/CVERecord?id=3DCVE-2025-40551 ] So= larWinds Web Help Desk Deserialization of Untrusted Data Vulnerability=20
* CVE-2025-64328 [
https://www.cve.org/CVERecord?id=3DCVE-2025-64328 ] Sa= ngoma FreePBX OS Command Injection Vulnerability=20
These types of vulnerabilities are frequent attack vectors for malicious cy= ber actors and pose significant risks to the federal enterprise.=C2=A0
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of=
Known Exploited Vulnerabilities [
https://www.cisa.gov/binding-operational= -directive-22-01 ]=C2=A0established the KEV Catalog as a living list of kno=
wn Common Vulnerabilities and Exposures (CVEs) that carry significant risk =
to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Br= anch (FCEB) agencies to remediate identified vulnerabilities by the due dat=
e to protect FCEB networks against active threats. See the=C2=A0BOD 22-01 F= act Sheet [
https://www.cisa.gov/sites/default/files/publications/Reducing_= the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf ]=C2=A0f=
or more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all o= rganizations to reduce their exposure to cyberattacks by prioritizing timel=
y remediation of=C2=A0KEV Catalog vulnerabilities [
https://www.cisa.gov/kn= own-exploited-vulnerabilities-catalog ]=C2=A0as part of their vulnerability=
management practice. CISA will continue to add vulnerabilities to the cata= log that meet the=C2=A0specified criteria [
https://www.cisa.gov/known-expl= oited-vulnerabilities ].
This product is provided subject to this=C2=A0Notification [
https://www.ci= sa.gov/notification ]=C2=A0and this=C2=A0Privacy & Use [
https://www.cisa.g= ov/privacy-policy ] policy
body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight=
: normal; font-style: normal; color: #333333; }=20
Having trouble viewing this message?=C2=A0View it as a webpage [
https://co= ntent.govdelivery.com/accounts/USDHSCISA/bulletins/40778cf ].=C2=A0 [ https= ://content.govdelivery.com/accounts/USDHS/bulletins/292141e ]
You are subscribed to updates from the Cybersecurity and Infrastructure Sec= urity Agency [
https://www.cisa.gov ] (CISA)
Manage Subscriptions [
https://public.govdelivery.com/accounts/USDHSCISA/su= bscriber/edit?preferences=3Dtrue#tab1 ]=C2=A0=C2=A0|=C2=A0=C2=A0Privacy Pol= icy [
https://www.cisa.gov/privacy-policy ]=C2=A0=C2=A0|=C2=A0 Help [ https= ://subscriberhelp.granicus.com/s/article/Subscriber-Help-Center ] [ https:/= /insights.govdelivery.com/Communications/Subscriber_Help_Center ]
Connect with CISA:=20
Facebook [
https://www.facebook.com/CISA ]=C2=A0 |=C2=A0 Twitter [
https://= twitter.com/CISAgov ]=C2=A0 |=C2=A0 Instagram [
https://Instagram.com/cisag=
ov ]=C2=A0 |=C2=A0 LinkedIn [
https://www.linkedin.com/company/cybersecurit= y-and-infrastructure-security-agency ]=C2=A0 |=C2=A0=C2=A0 YouTube [ https:= //www.youtube.com/channel/UCxyq9roe-npgzrVwbpoAy0A ]
________________________________________________________________________
This email was sent to
cisa@toolazy.synchro.net using GovDelivery Communica= tions Cloud, on behalf of: Cybersecurity and Infrastructure Security Agency=
=C2=B7 707 17th St, Suite 4000 =C2=B7 Denver, CO 80202 GovDelivery logo [ =
https://subscriberhelp.granicus.com/ ]=20
body .abe-column-block { min-height: 5px; } table.gd_combo_table img {margi= n-left:10px; margin-right:10px;} table.gd_combo_table div.govd_image_displa=
y img, table.gd_combo_table td.gd_combo_image_cell img {margin-left:0px; ma= rgin-right:0px;}
--===============4255065218965693485==
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=3D"
http://www.w3.org/1999/xhtml" xml:lang=3D"en" lang=3D"en"> <head>
<title> CISA Adds Four Known Exploited Vulnerabilities to Catalog
</title>
</head>
<body style=3D"">
<table width=3D"700" border=3D"0" cellspacing=3D"0" cellpadding=3D"0"=
align=3D"center">
<tr>
<td>
<!--[if (gte mso 9)|(IE)]>
<table style=3D"display:none"><tr><td><a name=3D"gd_top" id=3D"gd_top"></= a></td></tr></table>
<![endif]-->
<a name=3D"gd_top" id=3D"gd_top"></a>
=20
<p><img src=3D"
https://content.govdelivery.com/attachments/fancy_images/U= SDHSCISA/2020/06/3486054/05152023-gov-delivery-banner-copy_original.png" al= t=3D"Cybersecurity and Infrastructure Security Agency (CISA)" title=3D"" wi= dth=3D"600" height=3D"100"></p>
<p>You are subscribed to Cybersecurity Advisories for Cybersecurity and I= nfrastructure Security Agency. This information has recently been updated a=
nd is now available.</p>
<div class=3D"rss_item" style=3D"margin-bottom: 2em;">
<div class=3D"rss_title" style=3D"font-weight: bold; font-size: 120%; margi=
n: 0 0 0.3em; padding: 0;"><a href=3D"
https://www.cisa.gov/news-events/aler= ts/2026/02/03/cisa-adds-four-known-exploited-vulnerabilities-catalog" targe= t=3D"_blank" title=3D"CISA Adds Four Known Exploited Vulnerabilities to Cat= alog" rel=3D"noopener">CISA Adds Four Known Exploited Vulnerabilities to Ca= talog</a></div>
<div class=3D"rss_pub_date" style=3D"font-size: 90%; font-style: italic; co= lor: #666666; margin: 0 0 0.3em; padding: 0;">02/03/2026 1:30 PM EST</div>
<div class=3D"rss_description" style=3D"margin: 0 0 0.3em; padding: 0;"> <p>CISA has added four new vulnerabilities to its <a href=3D"
https://www.ci= sa.gov/known-exploited-vulnerabilities-catalog" target=3D"_blank" title=3D"= Known Exploited Vulnerabilities (KEV) Catalog" data-entity-type=3D"node" da= ta-entity-uuid=3D"79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substit= ution=3D"canonical" rel=3D"noopener">Known Exploited Vulnerabilities (KEV) = Catalog</a>, based on evidence of active exploitation.<span data-teams=3D"t= rue"></span></p>
<span data-teams=3D"true"><a id=3D"menur15nf" href=3D"
https://www.cve.org/C= VERecord?id=3DCVE-2019-19006" target=3D"_blank" title=3D"CVE-2019-19006" cl= ass=3D"fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gp=
dv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cm= lufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje = f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" aria-label= =3D"Link CVE-2025-8110" rel=3D"noopener">CVE-2019-19006</a></span> Sangoma = FreePBX Improper Authentication Vulnerability</li>
<span data-teams=3D"true"><a id=3D"menur15nf" href=3D"
https://www.cve.org/C= VERecord?id=3DCVE-2021-39935" target=3D"_blank" title=3D"CVE-2021-39935" cl= ass=3D"fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gp=
dv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cm= lufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje = f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" aria-label= =3D"Link CVE-2025-8110" rel=3D"noopener">CVE-2021-39935</a></span> GitLab C= ommunity and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnera= bility</li>
<span data-teams=3D"true"><a id=3D"menur15nf" href=3D"
https://www.cve.org/C= VERecord?id=3DCVE-2025-40551" target=3D"_blank" title=3D"CVE-2025-40551" cl= ass=3D"fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gp=
dv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cm= lufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje = f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" aria-label= =3D"Link CVE-2025-8110" rel=3D"noopener">CVE-2025-40551</a></span> SolarWin=
ds Web Help Desk Deserialization of Untrusted Data Vulnerability</li>
<span data-teams=3D"true"><a id=3D"menur15nf" href=3D"
https://www.cve.org/C= VERecord?id=3DCVE-2025-64328" target=3D"_blank" title=3D"CVE-2025-64328" cl= ass=3D"fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gp=
dv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cm= lufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje = f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" aria-label= =3D"Link CVE-2025-8110" rel=3D"noopener">CVE-2025-64328</a></span> Sangoma = FreePBX OS Command Injection Vulnerability</li>
</ul>
<p>These types of vulnerabilities are frequent attack vectors for malicious=
cyber actors and pose significant risks to the federal enterprise.=C2=A0</=
<p><a href=3D"
https://www.cisa.gov/binding-operational-directive-22-01" tit= le=3D"Binding Operational Directive (BOD) 22-01: Reducing the Significant R= isk of Known Exploited Vulnerabilities">Binding Operational Directive (BOD)=
22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities</a= >=C2=A0established the KEV Catalog as a living list of known Common Vulnera= bilities and Exposures (CVEs) that carry significant risk to the federal en= terprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agenc= ies to remediate identified vulnerabilities by the due date to protect FCEB=
networks against active threats. See the=C2=A0<a href=3D"
https://www.cisa.= gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known= _Exploited_Vulnerabilities_211103.pdf" title=3D"BOD 22-01 Fact Sheet">BOD 2= 2-01 Fact Sheet</a>=C2=A0for more information.</p>
<p>Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges al=
l organizations to reduce their exposure to cyberattacks by prioritizing ti= mely remediation of=C2=A0<a href=3D"
https://www.cisa.gov/known-exploited-vu= lnerabilities-catalog" target=3D"_blank" title=3D"KEV Catalog vulnerabiliti= es" data-entity-type=3D"node" data-entity-uuid=3D"79453b83-86b9-4e2f-b1ec-a= bf73c6eb291" data-entity-substitution=3D"canonical" rel=3D"noopener">KEV Ca= talog vulnerabilities</a>=C2=A0as part of their vulnerability management pr= actice. CISA will continue to add vulnerabilities to the catalog that meet = the=C2=A0<a href=3D"
https://www.cisa.gov/known-exploited-vulnerabilities" t= arget=3D"_blank" title=3D"specified criteria" data-entity-type=3D"node" dat= a-entity-uuid=3D"f2adba9a-0404-494c-a90c-4363a4a5c934" data-entity-substitu= tion=3D"canonical" rel=3D"noopener">specified criteria</a>.</p>
<p><span>This product is provided subject to this=C2=A0</span><a href=3D"ht= tps://www.cisa.gov/notification" target=3D"_blank" title=3D"Notification" r= el=3D"noopener">Notification</a><span>=C2=A0and this=C2=A0</span><a href=3D= "
https://www.cisa.gov/privacy-policy" target=3D"_blank" title=3D"Privacy &a= mp; Use" rel=3D"noopener">Privacy & Use</a><span> policy</span></p>
</div>
</div>
<style>body {
font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: norma=
l; font-style: normal; color: #333333;
}
</style>
=20
<div id=3D"mail_footer">
<p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; colo=
r: #757575;">Having trouble viewing this message?=C2=A0</span><a href=3D"ht= tps://content.govdelivery.com/accounts/USDHSCISA/bulletins/40778cf" target= =3D"_blank" rel=3D"noopener">View it as a webpage</a>.=C2=A0<a href=3D"http= s://content.govdelivery.com/accounts/USDHS/bulletins/292141e" target=3D"_bl= ank" rel=3D"noopener"></a><span style=3D"font-size: 10.0pt; color: #757575;= "></span></p>
<p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; color: #= 757575;">You are subscribed to updates from the </span><a href=3D"
https://w= ww.cisa.gov"><span style=3D"font-size: 10.0pt;">Cybersecurity and Infrastru= cture Security Agency</span></a><span style=3D"font-size: 10.0pt; color: #7= 57575;"> (CISA)<br></span><a href=3D"
https://public.govdelivery.com/account= s/USDHSCISA/subscriber/edit?preferences=3Dtrue#tab1" target=3D"_blank" rel= =3D"noopener"><span style=3D"font-size: 10.0pt; color: #00568c;">Manage Sub= scriptions</span></a>=C2=A0=C2=A0<span style=3D"font-size: 10.0pt; color: #= 757575;">|=C2=A0=C2=A0</span><a href=3D"
https://www.cisa.gov/privacy-policy=
" target=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; colo=
r: #00568c;">Privacy Policy</span></a><span style=3D"font-size: 10.0pt; col= or: #757575;">=C2=A0=C2=A0|=C2=A0 <a href=3D"
https://subscriberhelp.granicu= s.com/s/article/Subscriber-Help-Center" target=3D"_blank" rel=3D"noopener">= Help</a><a href=3D"
https://insights.govdelivery.com/Communications/Subscrib= er_Help_Center" target=3D"_blank" rel=3D"noopener"></a></span><span style= =3D"font-size: 10.0pt; color: #757575;"></span></p>
<p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; color: #= 757575;">Connect with CISA: <br></span><a href=3D"
https://www.facebook.com/= CISA" target=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; = color: #00568c;">Facebook</span></a><span style=3D"font-size: 10.0pt; color=
: #757575;">=C2=A0 |=C2=A0 </span><a href=3D"
https://twitter.com/CISAgov" t= arget=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; color: = #00568c;">Twitter</span></a><span style=3D"font-size: 10.0pt; color: #75757= 5;">=C2=A0 |=C2=A0 </span><a href=3D"
https://Instagram.com/cisagov" target= =3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; color: #0056= 8c;">Instagram</span></a><span style=3D"font-size: 10.0pt; color: #757575;"= >=C2=A0 |=C2=A0 </span><a href=3D"
https://www.linkedin.com/company/cybersec= urity-and-infrastructure-security-agency" target=3D"_blank" rel=3D"noopener= "><span style=3D"font-size: 10.0pt; color: #00568c;">LinkedIn</span></a><sp=
an style=3D"font-size: 10.0pt; color: #757575;">=C2=A0 |=C2=A0=C2=A0 </span= ><a href=3D"
https://www.youtube.com/channel/UCxyq9roe-npgzrVwbpoAy0A" targe= t=3D"_self"><span style=3D"font-size: 10.0pt; color: #00568c;">YouTube</spa= n></a><span style=3D"font-size: 10.0pt; color: #757575;"></span></p>
</div>
<div id=3D"tagline">
<hr>
<table style=3D"width: 100%;" border=3D"0" cellspacing=3D"0" cellpadding=3D=
<tbody>
<td style=3D"color: #757575; font-size: 10px; font-family: Arial;" width=3D= "89%">This email was sent to
cisa@toolazy.synchro.net using GovDelivery Com= munications Cloud, on behalf of: Cybersecurity and Infrastructure Security = Agency =C2=B7 707 17th St, Suite 4000 =C2=B7 Denver, CO 80202</td>
<td align=3D"right" width=3D"11%"><a href=3D"
https://subscriberhelp.granicu= s.com/" target=3D"_blank" rel=3D"noopener"><img src=3D"
https://content.govd= elivery.com/images/govd-logo-dark.png" border=3D"0" alt=3D"GovDelivery logo=
" width=3D"115"></a></td>
</tr>
</tbody>
</table>
<style type=3D"text/css">body .abe-column-block { min-height: 5px; } table.= gd_combo_table img {margin-left:10px; margin-right:10px;} table.gd_combo_ta= ble div.govd_image_display img, table.gd_combo_table td.gd_combo_image_cell=
img {margin-left:0px; margin-right:0px;}</style>
</div>
</td>
</tr>
</table>
<img alt=3D"" src=3D"
https://links-2.govdelivery.com/CI0/0101019c24ce00aa-6= 25a95ac-13a9-419b-95e0-6ee101c8b79d-000000/r-w6Te5GaBAr16_JLdYbdJDZ4J-NAgaW= yIbLGTJnRfM=3D442" style=3D"display: none; width: 1px; height: 1px;">
</body>
</html>
--===============4255065218965693485==--
--===============0498958697901656220==--