I posted the following to a tweet on X (https://x.com/CISACyber/status/1907150928634867730) from CISA announcing Apache Tomcat KEV listing: “While not strictly speaking a control system vulnerability, this is likely to show up in control systems as a third-party vulnerability. When reported by vendors, most will not identify as KEV issue.”