CISA KEV Updates and New Enrichment Tooling for Vulnerability Prioritization
CISA’s Known Exploited Vulnerabilities (KEV) program continues to be used as an operational prioritization mechanism for vulnerabilities with confirmed exploitation, but recent analysis cautions it is often misunderstood as a definitive list of the “worst” vulnerabilities. A paper by former CISA KEV section chief Tod Beardsley describes how enrichment signals (e.g., CVSS, EPSS, SSVC, public exploit availability in Metasploit/Nuclei, and MITRE ATT&CK mappings) can be combined to better triage KEV entries, and introduces KEV Collider, a free web app/dataset intended to help teams explore and validate enriched KEV data; one highlighted finding is that only ~32% of KEV-listed vulnerabilities are “immediately exploitable for initial access.”
CISA also added two vulnerabilities to the KEV catalog due to active exploitation: CVE-2026-24423 (SmarterTools SmarterMail) and CVE-2025-11953 (React Native Community CLI). CVE-2026-24423 is described as an unauthenticated RCE tied to a missing authentication check in the ConnectToHub API method in SmarterMail builds prior to 9511, enabling command execution by coercing the server to connect to a malicious HTTP endpoint; build 9511 was released to remediate, and ransomware activity has reportedly targeted exposed instances. CVE-2025-11953 is described as unauthenticated OS command injection via the Metro dev server (notably when bound to external interfaces), with reporting of exploitation activity involving PowerShell-based loaders and defense evasion; U.S. federal agencies are directed under BOD 22-01 to remediate by the stated KEV deadline, and other organizations are advised to patch/upgrade and reduce exposure (e.g., bind Metro to localhost) while monitoring for suspicious PowerShell and related post-exploitation behavior.
Related Entities
Vulnerabilities
Malware
Organizations
Affected Products
Sources
Related Stories
CISA Adds React Native Community CLI and SmarterMail Flaws to Known Exploited Vulnerabilities Catalog
CISA added two vulnerabilities to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**: `CVE-2025-11953` (React Native Community CLI **OS command injection**) and `CVE-2026-24423` (SmarterTools *SmarterMail* **missing authentication for a critical function**). Under **BOD 22-01**, Federal Civilian Executive Branch (FCEB) agencies are required to remediate newly listed KEV items by CISA’s specified due dates, and CISA urged non-federal organizations to similarly prioritize remediation as part of vulnerability management. Separately, security practitioners highlighted ongoing challenges in using KEV as a universal “must-patch” list outside the federal context, given the volume of vulnerabilities and differing organizational risk profiles. Dark Reading reported on *runZero*’s **KEV Collider**, a tool that aggregates multiple open vulnerability frameworks to help teams triage exploited-vulnerability lists (including KEV) against their own priorities, alongside other approaches such as **EPSS** and “Likely Exploited Vulnerabilities” scoring; a former CISA KEV section chief cautioned that treating KEV as a blanket must-patch list for all organizations can waste limited remediation capacity.
1 months ago
CISA Updates KEV Catalog as Research Questions How KEV Should Be Prioritized
**CISA added six Microsoft vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: `CVE-2026-21510`, `CVE-2026-21513`, `CVE-2026-21514`, `CVE-2026-21519`, `CVE-2026-21525`, and `CVE-2026-21533` (including a Windows Remote Desktop Services elevation-of-privilege issue). Under **Binding Operational Directive (BOD) 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged non-federal organizations to similarly prioritize remediation given KEV vulnerabilities’ frequent use as attack vectors. Separately, researchers published an analysis of the **KEV catalog’s composition and operational value**, arguing that KEV inclusion is often misinterpreted as “most severe” rather than “known exploited with a mitigation path.” The paper reports that only **~32% of KEV entries are immediately exploitable for initial access**, and that many KEV vulnerabilities are not remotely exploitable or require authentication, reinforcing the need for context-driven prioritization. The accompanying free tool, **KEV Collider**, enriches KEV entries with signals such as **CVSS, EPSS, SSVC, Metasploit, Nuclei, and MITRE ATT&CK mappings** to help security teams triage remediation and detection work under resource constraints.
1 months ago
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.
3 weeks ago