Overview
- CISA added CVE-2026-24423 to its Known Exploited Vulnerabilities catalog and said ransomware actors are abusing the flaw, triggering a February 26, 2026 remediation deadline for federal agencies.
- CVE-2026-24423 is an unauthenticated remote code execution bug in the ConnectToHub API that lets an attacker-controlled server define commands executed by SmarterMail on all platforms.
- The vulnerability affects versions prior to v100.0.9511 and carries a CVSS score of 9.3, with SmarterTools issuing the fix in build 9511 released on January 15.
- Researchers at watchTowr, CODE WHITE, and VulnCheck reported the issue, noting the API accepts anonymous POST requests and JSON parameters that can enable command execution and potential Linux privilege escalation.
- CISA also added CVE-2025-11953 in the React Native Community CLI Metro dev server to the KEV list with the same deadline, citing confirmed in-the-wild OS command injection attacks.