CISA has added two actively exploited vulnerabilities—CVE-2025-11953 in the React Native Community CLI and CVE-2026-24423 in SmarterTools SmarterMail—to its Known Exploited Vulnerabilities Catalog. While BOD 22-01 mandates remediation only for FCEB agencies, CISA urges all organizations to prioritize timely patching and vulnerability management to reduce exposure. #CVE-2025-11953 #CVE-2026-24423
Keypoints
- CISA added CVE-2025-11953 and CVE-2026-24423 to the KEV Catalog due to evidence of active exploitation.
- CVE-2025-11953 is an OS command injection vulnerability in the React Native Community CLI.
- CVE-2026-24423 is a missing authentication issue affecting a critical function in SmarterTools SmarterMail.
- These types of vulnerabilities are common attack vectors and pose significant risks to the federal enterprise.
- Although BOD 22-01 applies only to FCEB agencies, CISA urges all organizations to prioritize timely remediation and will continue updating the KEV Catalog.