The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on April 25, 2026. The flaws affect SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers, spanning remote support software, digital signage infrastructure, and consumer-grade networking equipment.
Federal Civilian Executive Branch (FCEB) agencies have been given a hard deadline of May 8, 2026 to apply patches or discontinue use of affected systems.
Vulnerabilities Added
CVE-2024-57726 — SimpleHelp (CVSS 9.9)
A missing authorization flaw in SimpleHelp's remote support platform allows low-privileged technician accounts to create excessive API keys, effectively granting them access beyond their intended permission scope. With a near-perfect CVSS score of 9.9, this is the most severe of the four vulnerabilities added.
SimpleHelp vulnerabilities have been actively weaponized in ransomware campaigns, including operations attributed to the DragonForce ransomware group. Organizations using SimpleHelp for IT support operations should treat this as an immediate priority.
CVE-2024-57728 — SimpleHelp (CVSS 7.2)
A path traversal vulnerability in SimpleHelp allows attackers to upload arbitrary files to the server via specially crafted ZIP archives. Combined with CVE-2024-57726, these two flaws create a powerful exploit chain: escalate API access, then write attacker-controlled files to the server.
CVE-2024-7399 — Samsung MagicINFO 9 Server (CVSS 8.8)
Samsung's MagicINFO 9 Server — a content management platform for digital signage displays — contains a path traversal vulnerability that enables arbitrary file writes. Researchers have observed this flaw being exploited to deploy Mirai botnet agents on exposed servers, effectively conscripting digital signage infrastructure into DDoS botnets.
Samsung MagicINFO is commonly deployed in retail, hospitality, and enterprise environments where internet-connected signage systems may not receive the same security scrutiny as traditional IT assets.
CVE-2025-29635 — D-Link DIR-823X (CVSS 7.5)
A command injection vulnerability in D-Link's DIR-823X series routers allows unauthenticated attackers to execute arbitrary OS commands. D-Link DIR-823X devices are end-of-life, meaning the vendor will not release a patch. Exploitation has been linked to a Mirai variant called tuxnokill, which targets these routers for DDoS botnet recruitment.
With no official patch forthcoming, the only remediation for this vulnerability is device replacement.
Exploitation Context
| CVE | Product | CVSS | Exploitation |
|---|---|---|---|
| CVE-2024-57726 | SimpleHelp | 9.9 | DragonForce ransomware campaigns |
| CVE-2024-57728 | SimpleHelp | 7.2 | File upload chain with CVE-57726 |
| CVE-2024-7399 | Samsung MagicINFO 9 | 8.8 | Mirai botnet deployment |
| CVE-2025-29635 | D-Link DIR-823X | 7.5 | tuxnokill Mirai variant |
Recommended Actions
For SimpleHelp users:
- Apply the latest SimpleHelp update immediately
- Audit technician API key allocations for unexpected entries
- Review server file system for unauthorized uploads
- Consider network segmentation for remote support infrastructure
For Samsung MagicINFO 9 users:
- Apply Samsung's security patch for CVE-2024-7399 without delay
- Restrict MagicINFO server exposure to internal networks only
- Monitor file system changes on signage servers
For D-Link DIR-823X users:
- Replace devices immediately — no patch will be released
- Until replacement is possible, isolate affected routers from the internet
- Monitor for tuxnokill Mirai infection indicators
Federal Compliance Deadline
FCEB agencies must remediate all four vulnerabilities by May 8, 2026, per CISA's Binding Operational Directive 22-01. Organizations outside the federal government are strongly encouraged to treat the KEV catalog as a prioritization signal for their own vulnerability management programs.
CISA's KEV catalog currently catalogs hundreds of actively exploited flaws and serves as one of the most actionable threat intelligence resources available to defenders.