A newly confirmed actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on April 24, 2026, impacting products from Samsung, SimpleHelp, and D-Link. Federal civilian agencies have until May 8, 2026, to implement mitigations or risk noncompliance under the Binding Operational Directive (BOD) 22-01.
The KEV Catalog is a continuously updated registry of Common Vulnerabilities and Exposures (CVEs) that carry confirmed, real-world exploitation evidence. Established under BOD 22-01, it mandates that Federal Civilian Executive Branch (FCEB) agencies remediate listed vulnerabilities within defined deadlines to protect critical government infrastructure.
While the directive legally applies only to FCEB agencies, strongly urges all organizations, the private sector, critical infrastructure, and state governments to treat KEV entries as top-priority remediation targets within their vulnerability management programs.
The urgency behind this catalog cannot be overstated. In 2025 alone, 884 known exploited vulnerabilities were identified, and nearly 29% of those were exploited on or before the day their CVE was published. This accelerating exploitation timeline leaves defenders with an increasingly narrow window to act.
CVE-2024-7399 – Samsung MagicINFO 9 Server Path Traversal
Samsung MagicINFO 9 Server, a widely deployed digital signage management platform, is affected by a critical path-traversal vulnerability (CWE-22/CWE-434) that allows unauthenticated attackers to write arbitrary files with SYSTEM-level privileges.
Exploitation occurs via the SWUpdateFileUploader servlet, which can be queried without authentication to upload a JSP web shell, effectively enabling full remote code execution (RCE) on the underlying Windows server.
The vulnerability affects all versions of Samsung MagicINFO 9 Server before 21.1050, and its EPSS score currently sits near 99%, indicating a high likelihood of near-term exploitation.
CVE-2024-57726 – SimpleHelp Missing Authorization
SimpleHelp, a popular remote support and monitoring platform, contains a missing authorization vulnerability (CWE-862) that allows low-privileged technicians to create API keys with elevated permissions far beyond their assigned role.
Once these over-permissioned API keys are obtained, attackers can escalate privileges to the server administrator role, effectively taking full control of the SimpleHelp deployment.
This vulnerability is particularly dangerous in managed service provider (MSP) environments where SimpleHelp is used extensively, as a compromised technician account could cascade into customer network takeovers.
CVE-2024-57728 – SimpleHelp Path Traversal (Zip Slip)
The second SimpleHelp flaw is a path traversal vulnerability (CWE-22) that exploits the “Zip Slip” technique, allowing admin users to upload a specially crafted ZIP archive containing malicious files with path-traversal sequences (e.g., ../../). These sequences cause files to be written outside the intended directory and into arbitrary locations on the server’s filesystem.
When combined with CVE-2024-57726’s privilege escalation, an attacker can chain both flaws first gaining admin access, then uploading a malicious payload for remote code execution in the context of the SimpleHelp server user.
CVE-2025-29635 – D-Link DIR-823X Command Injection
The D-Link DIR-823X router series carries a command injection vulnerability (CWE-77) exploitable by an authorized attacker via a crafted HTTP POST request to the /goform/set_prohibiting endpoint.
Successful exploitation allows attackers to execute arbitrary OS-level commands on the remote device, enabling complete router compromise. Critically, the DIR-823X is likely end-of-life (EoL) and end-of-service (EoS), meaning D-Link will not issue patches for this device.
Exploitation Landscape and Threat Context
All four vulnerabilities share a critical trait: confirmed active exploitation in the wild. Network edge devices, including routers, remote support tools, and digital signage servers, remain among the most heavily targeted technology categories by threat actors in 2026.
Ransomware attribution for these specific CVEs is currently listed as “Unknown” in the KEV catalog, but that designation frequently updates as threat intelligence matures. D-Link and SimpleHelp environments in particular are attractive initial access targets for ransomware operators and initial access brokers (IABs).
Organizations delaying remediation of KEV-listed vulnerabilities face compounding risk: exploitation telemetry from 2025 shows that the majority of exploitation activity occurs within days of public disclosure, not months.
Remediation Deadlines at a Glance
Recommended Actions for Security Teams
- Samsung MagicINFO 9 users: Immediately upgrade to version 21.1050 or later, restrict external access to ports 7001/7002, and audit for unauthorized JSP files on the server.
- SimpleHelp administrators: Apply the latest vendor patches addressing both CVE-2024-57726 and CVE-2024-57728; audit existing API keys and revoke any with anomalous permissions.
- D-Link DIR-823X owners: Replace end-of-life devices immediately with actively supported router models; no patch is forthcoming from D-Link.
- All organizations: Cross-reference your asset inventory against the full CISA KEV Catalog and integrate KEV feeds into your vulnerability management and SIEM platforms.
FAQ
Q1: What is the CISA KEV Catalog?
It is CISA’s living registry of CVEs with confirmed active exploitation, requiring FCEB agencies to remediate listed vulnerabilities within set deadlines.
Q2: Does the BOD 22-01 deadline apply to private organizations?
No, BOD 22-01 legally mandates only FCEB agencies, but CISA strongly recommends all organizations prioritize KEV remediation.
Q3: Is there a patch available for the D-Link DIR-823X vulnerability?
No, the DIR-823X is end-of-life, and D-Link will not release a fix, so users must replace the device entirely.
Q4: Can CVE-2024-57726 and CVE-2024-57728 be chained together for a full attack?
Yes, an attacker can exploit CVE-2024-57726 to escalate to admin privileges, then exploit CVE-2024-57728 to upload malicious files and achieve remote code execution.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
