U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SmarterTools SmarterMail and React Native Community CLI flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SmarterTools SmarterMail and React Native Community CLI flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2025-11953 React Native Community CLI OS Command Injection Vulnerability
- CVE-2026-24423 SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
Attackers are actively exploiting a critical flaw in the React Native CLI Metro server, tracked as CVE-2025-11953. The React Native CLI’s Metro dev server binds to external interfaces by default and exposes a command injection flaw. Unauthenticated attackers can send POST requests to execute arbitrary programs, and on Windows can also run shell commands with fully controlled arguments.
“The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables.” reads the advisory. “On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.”
Metro is the JavaScript bundler and dev server used by React Native. By default, it can expose an endpoint that lets unauthenticated attackers run OS commands on Windows.
VulnCheck researchers observed consistent, real-world attacks weeks before broad disclosure.
VulnCheck spotted real-world exploitation of CVE-2025-11953 (Metro4Shell) on December 21, 2025, and again in January, showing attackers kept using it. Despite this, the activity still lacks broad public attention and carries a low EPSS score. The gap is risky, since the flaw is easy to exploit and many exposed servers remain online.
“Now, more than a month after initial exploitation in the wild, that activity has yet to see broad public acknowledgment, and EPSS continues to assign a low exploitation probability of 0.00405.” reads the advisory published by VulnCheck. “This gap between observed exploitation and wider recognition matters, particularly for vulnerabilities that are easy to exploit and, as internet-wide search data shows, exposed on the public internet.”
VulnCheck found active, sustained exploitation of CVE-2025-11953, showing it was used operationally rather than for testing. Attackers delivered a multi-stage, base64-encoded PowerShell loader via cmd.exe, disabled Microsoft Defender protections, fetched payloads over raw TCP, and executed a downloaded binary. The malware was a UPX-packed Rust payload with basic anti-analysis features.
The experts noted that attacks reused the same infrastructure and techniques for weeks. VulnCheck warns the lack of public acknowledgment risks leaving defenders unprepared, as exploitation often begins well before official recognition.
At the end of January, SmarterTools fixed two security bugs in its SmarterMail email software, including a critical vulnerability, tracked as CVE-2026-24423 (CVSS score of 9.3) that could let attackers run malicious code on affected systems.
“SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method.” reads the advisory. “The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.”
The researchers Sina Kheirkhah & Piotr Bazydlo of watchTowr, Markus Wulftange of CODE WHITE GmbH, and Cale Black of VulnCheck reported the vulnerability.
SmarterTools addressed the issue in version Build 9511.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by February 26, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CISA)