🚨 CRITICAL ALERT: Active Zero-Day Exploits

Immediate Threat Summary: A wave of critical vulnerabilities with CVSS scores ranging from 8.0 to 10.0 is currently being exploited in the wild by automated botnets and ransomware operators. CISA has added these to the Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies and critical infrastructure. The most severe threats include unauthenticated Remote Code Execution (RCE) in Google Chrome, authentication bypasses in Sangoma FreePBX, and deserialization flaws in SolarWinds Web Help Desk, all allowing attackers to gain root privileges without user interaction.

Critical Vulnerabilities (CVSS >= 8.0)

• CVE-2019-19006 (CVSS: 9.8): Sangoma FreePBX allows unauthenticated attackers to bypass password authentication and access the admin interface via incorrect access control. Exploited in the wild since 2019 with active ransomware campaigns. View NVD | CISA KEV
• CVE-2024-52178 (CVSS: 10): CyberPanel allows remote attackers to bypass authentication and execute arbitrary commands via DOS/FTP endpoints by bypassing secMiddleware using shell metacharacters. Exploited in the wild in October 2024. View NVD | CISA KEV
• CVE-2024-5274 (CVSS: 9.6): Google Chrome (V8) Type Confusion allows remote attackers to execute arbitrary code inside a sandbox via crafted HTML pages. Active exploitation observed. View NVD | CISA KEV
• CVE-2024-5217 (CVSS: 9.8): ServiceNow Now Platform input validation vulnerability enables unauthenticated users to remotely execute code. Fixed in June 2024 patches. View NVD | CISA KEV
• CVE-2024-51567 (CVSS: 10): CyberPanel allows remote RCE via unauthenticated access to database upgrade endpoints using shell metacharacters. Exploited in the wild in October 2024. View NVD | CISA KEV
• CVE-2025-32432 (CVSS: 10): Craft CMS RCE vulnerability in versions 3.x, 4.x, and 5.x allows high-impact, low-complexity attacks. Patched in 3.9.15, 4.14.15, and 5.6.17. View NVD | CISA KEV
• CVE-2025-54253 (CVSS: 10): Adobe Experience Manager misconfiguration allows arbitrary code execution without user interaction. Exploited in the wild. View NVD | CISA KEV
• CVE-2025-61882 (CVSS: 9.8): Oracle E-Business Suite allows unauthenticated network attack via HTTP to compromise Concurrent Processing, resulting in full takeover. View NVD | CISA KEV
• CVE-2025-57819 (CVSS: 9.8): FreePBX 15, 16, 17 endpoints allow unauthenticated admin access leading to arbitrary DB manipulation and RCE. Patched in 15.0.66, 16.0.89, 17.0.3. View NVD | CISA KEV
• CVE-2025-40551 (CVSS: 9.8): SolarWinds Web Help Desk untrusted data deserialization allows unauthenticated RCE. Fixed in version 2026.1. View NVD | CISA KEV

⚡ Immediate Actions Required

1. Patch Critical Endpoints: Immediately update Google Chrome to version 125.0.6422.112+ (and 128.0.6613.84+ for newer flaws), Craft CMS to 5.6.17+, and Adobe Experience Manager to latest patch. SolarWinds users must upgrade to 2026.1 immediately.

2. Disable Vulnerable Services: For FreePBX and Sangoma systems without patches, disable the admin interface from external access or shut down the service if no mitigations are available per CISA BOD 22-01 guidance.

3. Network Segmentation: Restrict access to ServiceNow, Oracle E-Business Suite, and SolarWinds management interfaces to trusted internal IPs only. Do not expose these to the public internet.

4. Monitor for Exploitation: Alert logs for unauthorized access attempts to admin endpoints, shell commands, and deserialization payloads. CISA mandates federal patching deadlines (e.g., Nov 8, 2025 for related flaws; Feb 24, 2026 for CVE-2019-19006).

5. Verify Integrity: Scan all systems for evidence of RCE, file uploads, and unauthorized configuration changes, particularly in CyberPanel and Adobe Experience Manager deployments.