Key Findings

• CISA added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on Friday

• SimpleHelp flaws enable privilege escalation and arbitrary code execution, previously linked to DragonForce ransomware campaigns

• Samsung MagicINFO vulnerability allows arbitrary file writes with system-level access and has been exploited since PoC release in April 2025

• D-Link DIR-823X command injection flaw is being weaponized to deliver Mirai botnet variants

• Federal agencies must remediate or discontinue affected systems by May 8, 2026

Background

The U.S. Cybersecurity and Infrastructure Security Agency regularly updates its Known Exploited Vulnerabilities catalog to track security flaws with confirmed active exploitation. Organizations added to the catalog typically face mandatory remediation deadlines under federal directive, particularly for agencies operating critical infrastructure. CISA's designation signals that attacks are already underway and patches or workarounds are necessary to prevent compromise.

SimpleHelp Authorization and Path Traversal Issues

Two critical vulnerabilities in SimpleHelp remote support software were added to the catalog. CVE-2024-57726 has a CVSS score of 9.9 and allows low-privileged technicians to create API keys with permissions they shouldn't have access to, ultimately enabling escalation to full server administrator status. CVE-2024-57728, scored at 7.2, involves a path traversal flaw where administrators can upload malicious ZIP files that place arbitrary files anywhere on the system, leading to remote code execution under the SimpleHelp server process.

Security researchers at Field Effect and Sophos documented these flaws being exploited in 2025 as entry points for ransomware attacks, with the DragonForce ransomware operation among the confirmed threat actors leveraging them.

Samsung MagicINFO Content Management Vulnerability

CVE-2024-7399 in Samsung MagicINFO 9 Server allows attackers to write arbitrary files with system-level authority through path traversal. The vulnerability has a CVSS score of 8.8. Though Samsung patched it in August 2024, exploitation remained dormant until proof-of-concept code was publicly released on April 30, 2025. Within days, threat actors began active attacks. Arctic Wolf researchers observed these campaigns shortly after PoC availability, and given the relative simplicity of exploitation, continued attack activity is expected.

D-Link Router Command Injection and Botnet Deployment

CVE-2025-29635 affects end-of-life D-Link DIR-823X series routers and carries a CVSS score of 7.5. The command injection flaw allows authorized attackers to execute arbitrary commands by sending crafted POST requests to a specific endpoint. Akamai researchers detected active exploitation attempts this week delivering "tuxnokill," a Mirai botnet variant. The vulnerability is particularly concerning because the affected router models are no longer receiving security updates.

Federal Compliance Deadline

Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must address all four vulnerabilities by May 8, 2026. For CVE-2025-29635 specifically, agencies are advised to either apply patches when available or discontinue use of the affected D-Link appliances entirely by the deadline. Private sector organizations are also encouraged to review and remediate these flaws in their networks.

Sources

• https://thehackernews.com/2026/04/cisa-adds-4-exploited-flaws-to-kev-sets.html

• https://securityaffairs.com/191281/security/u-s-cisa-adds-simplehelp-samsung-and-d-link-flaws-to-its-known-exploited-vulnerabilities-catalog.html

• https://www.linkedin.com/posts/dlross_cisa-adds-4-exploited-flaws-to-kev-sets-activity-7453820132340109312-hJo8

• https://x.com/TheCyberSecHub/status/2047920852080197866

• https://www.reddit.com/r/pwnhub/comments/1svcik6/cisa_adds_4_exploited_flaws_to_kev_sets_may_2026/

• https://www.youtube.com/watch?v=I28WkokW-4Q