CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
The U.S. Cybersecurity and Infrastructure Security Agency has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog. The flaws impact SimpleHelp remote support software, Samsung MagicINFO 9 Server digital signage platform, and D-Link DIR-823X series routers. Federal Civilian Executive Branch agencies are now required to apply fixes or discontinue affected appliances by May 8, 2026.
The vulnerabilities include CVE-2024-57726 in SimpleHelp (CVSS 9.9), which allows low-privileged technicians to escalate to admin by creating API keys with excessive permissions; CVE-2024-57728 in SimpleHelp (CVSS 7.2), a path traversal flaw enabling arbitrary file upload and remote code execution; CVE-2024-7399 in Samsung MagicINFO (CVSS 8.8), another path traversal allowing arbitrary file writes as system authority; and CVE-2025-29635 in D-Link DIR-823X routers (CVSS 7.5), a command injection vulnerability allowing remote command execution via POST requests. The SimpleHelp flaws have been exploited as precursors to ransomware attacks, including by the DragonForce operation. The Samsung and D-Link vulnerabilities have both been linked to Mirai botnet deployment.
The SimpleHelp vulnerabilities were exploited early last year in campaigns attributed to the DragonForce ransomware operation, according to reports from Field Effect and Sophos. The Samsung MagicINFO flaw has previously been linked to Mirai botnet activity. For the D-Link vulnerability, Akamai disclosed earlier this week that it recorded attempts against D-Link devices to deliver a Mirai botnet variant called tuxnokill. CISA has not attributed the exploitation of these specific flaws to any particular nation-state or criminal group.
The addition of these four flaws to the KEV catalog highlights the persistent targeting of enterprise support tools, IoT devices, and end-of-life networking equipment by threat actors. The short remediation deadline of May 8, 2026 reflects the severity and active exploitation of these vulnerabilities. This is a reminder that organisations running remote support software, digital signage servers, and consumer-grade routers must maintain rigorous patch management and inventory practices, particularly for devices that may have been forgotten or are no longer supported by manufacturers.
Click here for the original article.

