CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Sets May 2026 Deadline
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) catalog by incorporating four critical security flaws that are currently being actively exploited. These vulnerabilities affect SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers. CISA has set a remediation deadline of May 8, 2026, for Federal Civilian Executive Branch (FCEB) agencies to address these issues.
Detailed Overview of the Vulnerabilities:
1. CVE-2024-57726 (CVSS Score: 9.9): This vulnerability in SimpleHelp arises from missing authorization controls, allowing low-privileged technicians to create API keys with excessive permissions. Exploitation of this flaw can lead to privilege escalation, granting attackers server admin rights.
2. CVE-2024-57728 (CVSS Score: 7.2): Also affecting SimpleHelp, this path traversal vulnerability enables admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (a technique known as zip slip). Attackers can exploit this to execute arbitrary code on the host within the context of the SimpleHelp server user.
3. CVE-2024-7399 (CVSS Score: 8.8): Found in Samsung MagicINFO 9 Server, this path traversal vulnerability allows attackers to write arbitrary files with system authority, potentially leading to unauthorized system modifications or code execution.
4. CVE-2025-29635 (CVSS Score: 7.5): This command injection vulnerability affects end-of-life D-Link DIR-823X series routers. An authorized attacker can execute arbitrary commands on remote devices by sending a specially crafted POST request to the /goform/set_prohibiting endpoint.
Exploitation and Associated Threats:
The SimpleHelp vulnerabilities (CVE-2024-57726 and CVE-2024-57728) have been exploited in ransomware campaigns. Reports from cybersecurity firms Field Effect and Sophos indicate that these flaws were used as initial access vectors in attacks attributed to the DragonForce ransomware operation.
CVE-2024-7399 has been linked to malicious activities deploying the Mirai botnet. This botnet targets IoT devices to create large-scale distributed denial-of-service (DDoS) attacks.
Regarding CVE-2025-29635, Akamai has observed attempts to exploit this vulnerability in D-Link devices to deliver a Mirai botnet variant named tuxnokill. This underscores the ongoing threat posed by botnets leveraging unpatched vulnerabilities in network devices.
Recommendations and Mitigation Measures:
CISA advises FCEB agencies to apply the necessary fixes or, in the case of CVE-2025-29635, discontinue the use of the affected D-Link routers by May 8, 2026. Organizations using SimpleHelp and Samsung MagicINFO 9 Server should promptly apply available patches to mitigate these vulnerabilities.
For D-Link DIR-823X series routers, which are end-of-life and no longer supported, it is recommended to replace them with supported devices to ensure network security.
Broader Implications:
The addition of these vulnerabilities to the KEV catalog highlights the persistent threat posed by unpatched software and hardware. Attackers continuously exploit known vulnerabilities to gain unauthorized access, deploy malware, and conduct ransomware attacks.
Organizations are urged to maintain robust patch management practices, regularly update software and hardware, and monitor for signs of exploitation. Implementing network segmentation, employing intrusion detection systems, and conducting regular security assessments can further enhance an organization’s defense against such threats.
Conclusion:
CISA’s proactive inclusion of these vulnerabilities in the KEV catalog serves as a critical reminder for organizations to prioritize cybersecurity measures. By addressing these vulnerabilities promptly, organizations can protect their systems from potential exploitation and contribute to the overall security of the digital ecosystem.
