CISA Adds 4 Actively Exploited Flaws to KEV: SimpleHelp, Samsung MagicINFO, D-Link DIR-823X — May 8 Federal Deadline

Introduction

CISA added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on April 24, 2026, with a federal remediation deadline of May 8. Two flaws hit SimpleHelp remote-support software, one is a path traversal in Samsung MagicINFO 9 Server (linked to Mirai botnet activity), and the fourth is a command-injection RCE in the end-of-life D-Link DIR-823X router. Three of the four are pre-auth or near-pre-auth, all four lead to system-level compromise, and the SimpleHelp pair has been actively used against MSPs and their downstream customers throughout 2025–2026.

What Happened

CISA's update to the KEV catalog covers:

  • CVE-2024-57726 — SimpleHelp Missing Authorization (CVSS 9.9). A low-privileged technician account can create API keys with excessive permissions, then escalate to server admin. Combined with CVE-2024-57728 (path traversal), an attacker who lands on a SimpleHelp instance owns it.
  • CVE-2024-57728 — SimpleHelp Path Traversal. Allows arbitrary file read/write on the server, including SYSTEM-authority writes that pivot to RCE. Disclosed in early 2025 alongside 57726 and 57727; ransomware affiliates (notably DragonForce and Akira-style operators) have been using the chain since.
  • CVE-2024-7399 — Samsung MagicINFO 9 Server Path Traversal. Lets an attacker write arbitrary files as the system authority on Samsung's digital signage management server. Exploitation is reportedly tied to Mirai botnet build-out, which targets MagicINFO 9 deployments to enroll signage and OOB management hosts into DDoS infrastructure.
  • CVE-2025-29635 — D-Link DIR-823X Command Injection. Authenticated command injection via a POST to /goform/set_prohibiting. The DIR-823X is end-of-life and end-of-service; D-Link has stated it will not patch, and CISA's KEV entry tells organizations to "discontinue product utilization."

All four were added on April 24 with a May 8, 2026 due date for FCEB agencies. CISA explicitly recommends that everyone outside the federal civilian executive branch treat KEV entries as priority remediation work — these flaw classes (path traversal, command injection, missing authorization) are the most common pre-cursors to ransomware deployment and lateral movement.

Why It Matters

Each of these vulnerabilities sits in software that defenders rarely think about as "the front door." SimpleHelp is widely deployed inside MSPs and small/mid-sized IT shops to support customer endpoints — a single compromised SimpleHelp tenant can cascade into hundreds of downstream customer networks. Samsung MagicINFO 9 Server runs digital signage and quietly retains administrator credentials for every connected display, often on networks shared with corporate AD; the path traversal lets an attacker turn signage management into a command-and-control beachhead. D-Link DIR-823X consumer/SOHO routers are the kind of device that nobody manages but everyone owns, and Mirai-class botnet operators are actively scanning for them.

The pattern across all four: pre-auth or trivially escalable, RCE-class outcomes, products that are off-radar for most enterprise patch programs.

Who Is Affected

  • Any organization running SimpleHelp Server, especially MSPs supporting downstream customers
  • Samsung MagicINFO 9 Server deployments (digital signage, retail, hospitality, transit)
  • Networks with D-Link DIR-823X routers in any role — most commonly SOHO/branch/teleworker
  • Federal civilian agencies — mandatory remediation by May 8, 2026
  • Anyone who has ever exposed a SimpleHelp portal to the internet between January 2025 and now should assume compromise until proven otherwise

How to Protect Yourself

SimpleHelp (CVE-2024-57726 / CVE-2024-57728):

Upgrade to a fully patched SimpleHelp build. The fixed versions are 5.5.8 and 5.4.10 or later; verify what your installation reports:

curl -s https://your-simplehelp-server/configuration/version | jq .

If you cannot patch immediately, pull the SimpleHelp portal off the internet:

# Linux/iptables example for the SimpleHelp listener
iptables -I INPUT -p tcp --dport 443 -j DROP
iptables -I INPUT -p tcp --dport 443 -s <trusted-mgmt-net>/24 -j ACCEPT
iptables -I INPUT -p tcp --dport 8080 -j DROP

Then hunt for compromise. Search the SimpleHelp logs for unexpected technician account creation, API key issuance, and bulk file activity:

grep -E "(api[_-]?key|technician.*create|admin.*role)" /opt/simplehelp/logs/* -i
ls -la /opt/simplehelp/configuration/serverConfig.xml

Compare your serverConfig.xml and technician export against a known-good backup. Rotate all SimpleHelp credentials, technician passwords, and remote-control session keys. Force a re-enrollment of every customer endpoint.

Samsung MagicINFO 9 Server (CVE-2024-7399):

Upgrade to MagicINFO 9 Server v21.1050.0 or later (or v22+) per Samsung's advisory. If you cannot patch:

# Block the upload endpoints at your reverse proxy until patched
location ~ /MagicInfo/upload {
    deny all;
}

Hunt for unexpected files in the upload directory and unusual system user-context process activity:

Get-ChildItem -Path "C:\Program Files\Samsung\MagicInfo Premium Server\webapps" -Recurse |
    Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-180) -and $_.Extension -in ".jsp",".war",".sh",".exe" }
Get-Process | Where-Object { $_.UserName -eq "NT AUTHORITY\SYSTEM" -and $_.Path -like "*MagicInfo*" }

D-Link DIR-823X (CVE-2025-29635):

D-Link will not patch. CISA's directive is unambiguous: discontinue use. Replace the device. In the meantime:

# Disable WAN admin access
# From the router admin UI: Tools → Admin → uncheck "Remote Management"
# Better — block externally
nmap -sS -p 80,443,8080 <router-public-ip>   # confirm not externally reachable

If you cannot replace immediately, segment the router behind a managed firewall, disable UPnP, change the default admin password, and put the SOHO network on a non-routable management VLAN.

Catch the broader pattern. Build an internal KEV-driven patching workflow — anything CISA adds to KEV becomes a 14-day SLA in your tracker, regardless of whether the affected product is on your asset register. The KEV catalog is updated ~weekly; subscribe to the CISA bulletin RSS or use a tool like kev-fetcher / cve-bin-tool --kev to pull the latest entries into your scanner directly.

curl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json | \
    jq -r '.vulnerabilities[] | select(.dateAdded >= "2026-04-24") | "\(.cveID) \(.vendorProject) \(.product) due:\(.dueDate)"'

Source