CISA KEV Updates and New Enrichment Tooling for Vulnerability Prioritization

CISA’s Known Exploited Vulnerabilities (KEV) program continues to be used as an operational prioritization mechanism for vulnerabilities with confirmed exploitation, but recent analysis cautions it is often misunderstood as a definitive list of the “worst” vulnerabilities. A paper by former CISA KEV section chief Tod Beardsley describes how enrichment signals (e.g., CVSS, EPSS, SSVC, public exploit availability in Metasploit/Nuclei, and MITRE ATT&CK mappings) can be combined to better triage KEV entries, and introduces KEV Collider, a free web app/dataset intended to help teams explore and validate enriched KEV data; one highlighted finding is that only ~32% of KEV-listed vulnerabilities are “immediately exploitable for initial access.”

CISA also added two vulnerabilities to the KEV catalog due to active exploitation: CVE-2026-24423 (SmarterTools SmarterMail) and CVE-2025-11953 (React Native Community CLI). CVE-2026-24423 is described as an unauthenticated RCE tied to a missing authentication check in the ConnectToHub API method in SmarterMail builds prior to 9511, enabling command execution by coercing the server to connect to a malicious HTTP endpoint; build 9511 was released to remediate, and ransomware activity has reportedly targeted exposed instances. CVE-2025-11953 is described as unauthenticated OS command injection via the Metro dev server (notably when bound to external interfaces), with reporting of exploitation activity involving PowerShell-based loaders and defense evasion; U.S. federal agencies are directed under BOD 22-01 to remediate by the stated KEV deadline, and other organizations are advised to patch/upgrade and reduce exposure (e.g., bind Metro to localhost) while monitoring for suspicious PowerShell and related post-exploitation behavior.