CISA Identifies Four Actively Exploited Vulnerabilities, Sets May 2026 Remediation Deadline
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) catalog by adding four critical security flaws. These vulnerabilities, affecting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers, have been confirmed as actively exploited in the wild.
Detailed Overview of the Vulnerabilities:
1. CVE-2024-57726 (CVSS Score: 9.9): This vulnerability in SimpleHelp arises from missing authorization controls, allowing low-privileged technicians to generate API keys with elevated permissions. Exploitation of this flaw can lead to unauthorized escalation to server administrator roles.
2. CVE-2024-57728 (CVSS Score: 7.2): Also found in SimpleHelp, this path traversal vulnerability permits administrative users to upload arbitrary files anywhere on the server’s file system by manipulating zip files. Such exploitation can result in arbitrary code execution under the SimpleHelp server user’s context.
3. CVE-2024-7399 (CVSS Score: 8.8): Identified in Samsung MagicINFO 9 Server, this path traversal flaw enables attackers to write arbitrary files with system-level authority, potentially compromising the entire system.
4. CVE-2025-29635 (CVSS Score: 7.5): This command injection vulnerability affects end-of-life D-Link DIR-823X series routers. Authenticated attackers can execute arbitrary commands on remote devices by sending specific POST requests, leading to full device compromise.
Exploitation and Associated Threats:
The SimpleHelp vulnerabilities (CVE-2024-57726 and CVE-2024-57728) have been exploited in ransomware campaigns. Reports from cybersecurity firms Field Effect and Sophos indicate that these flaws were used as initial access points in attacks attributed to the DragonForce ransomware group.
CVE-2024-7399 has been linked to activities deploying the Mirai botnet, a notorious malware strain that transforms networked devices into remotely controlled bots for large-scale network attacks.
Regarding CVE-2025-29635, Akamai has observed attempts to exploit this vulnerability in D-Link devices to deliver a Mirai botnet variant known as tuxnokill.
CISA’s Recommendations and Deadlines:
In response to these active threats, CISA has issued directives for Federal Civilian Executive Branch (FCEB) agencies:
– Remediation Deadline: Agencies are required to apply necessary fixes or discontinue the use of affected appliances by May 8, 2026.
– Mitigation Strategies: Implementing patches provided by vendors, conducting thorough system audits, and enhancing monitoring for unusual activities are recommended to mitigate potential exploits.
Implications for Organizations:
The addition of these vulnerabilities to the KEV catalog underscores the persistent and evolving nature of cyber threats. Organizations utilizing the affected systems must prioritize patching and remediation efforts to prevent potential breaches.
Conclusion:
CISA’s proactive identification and cataloging of these vulnerabilities serve as a critical reminder of the importance of timely vulnerability management. Organizations are urged to adhere to the specified deadlines and implement recommended security measures to safeguard their systems against these actively exploited threats.
