Site icon TheCyberThrone

CISA Adds SmarterMail and React Native CLI Flaws to KEV Catalog

Advertisements

U.S. CISA has escalated two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild. CVE-2026-24423 in SmarterTools SmarterMail and CVE-2025-11953 in React Native Community CLI demand immediate attention from organizations worldwide.

SmarterMail RCE Flaw Details

CVE-2026-24423 carries a CVSS score of 9.3 and stems from a missing authentication check in the ConnectToHub API method in SmarterMail versions prior to build 9511. Attackers can exploit this unauthenticated remote code execution (RCE) vulnerability by tricking the server into connecting to a malicious HTTP endpoint, enabling arbitrary OS command execution.

SmarterTools released build 9511 in late January 2026 to address the issue. Ransomware actors have already targeted exposed instances, underscoring the flaw’s severity in real-world attacks.

React Native CLI Command Injection

CVE-2025-11953 allows unauthenticated OS command injection through the Metro dev server, which binds to external interfaces by default. Remote attackers send POST requests to trigger arbitrary executables; on Windows, they gain full control over shell arguments.

VulnCheck reported sustained exploitation campaigns starting December 21, 2025, involving PowerShell loaders that disable Windows Defender defenses.

Actionable Recommendations

Federal Civilian Executive Branch (FCEB) agencies face a Binding Operational Directive (BOD 22-01) deadline of February 26, 2026, to patch or discontinue use. All organizations should:

Exposed servers persist online, amplifying risks—prioritize vulnerability management now to mitigate breach potential.

Exit mobile version