The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
The vulnerabilities added include:
- CVE-2025-11953: React Native Community CLI OS Command Injection Vulnerability
- CVE-2026-24423: SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
- CVE-2025-24200: Apple iOS and iPadOS Incorrect Authorization Vulnerability
- CVE-2024-41710: Mitel SIP Phones Argument Injection Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and present significant risks to the federal enterprise.
CISA’s Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry substantial risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified deadlines to protect FCEB networks against active threats. For further details, agencies can refer to the BOD 22-01 Fact Sheet.
While BOD 22-01 applies only to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing the timely remediation of vulnerabilities listed in the KEV Catalog as part of their ongoing vulnerability management practices. CISA will continue to update the catalog with vulnerabilities that meet the established criteria, ensuring organizations have guidance on addressing the most critical and actively exploited threats.
 has added four new vulnerabilities to its Known Exploited...){kind=link}