The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently announced a significant update to its Known Exploited Vulnerabilities (KEV) catalog. On Friday, CISA included four critical vulnerabilities affecting widely used software and hardware, specifically focusing on SimpleHelp, Samsung MagicINFO 9 Server, and the D-Link DIR-823X series routers. The agency’s acknowledgment of these vulnerabilities comes with evidence indicating that they are currently being actively exploited in the wild, raising alarms within the cybersecurity community.
The vulnerabilities that have been added to the KEV catalog are as follows:
-
CVE-2024-57726 (CVSS score: 9.9) pertains to a missing authorization vulnerability within SimpleHelp. This flaw potentially allows low-privileged technicians to generate API keys that possess excessive permissions, ultimately enabling them to escalate their privileges to that of a server administrator. Such an exploit can lead to catastrophic security breaches, especially in environments where sensitive data is managed.
-
CVE-2024-57728 (CVSS score: 7.2) also affects SimpleHelp and is described as a path traversal vulnerability. This particular issue permits admin users to upload arbitrary files anywhere on the file system using a specially crafted zip file, a tactic commonly referred to as "zip slip." Once exploited, this vulnerability could allow an attacker to execute arbitrary code on the host system within the context of the SimpleHelp server user, facilitating further malicious activities.
-
CVE-2024-7399 (CVSS score: 8.8) is a path traversal vulnerability affecting the Samsung MagicINFO 9 Server. Exploiting this vulnerability could empower attackers to write arbitrary files with system-level authority, effectively jeopardizing the integrity and security of the system.
- CVE-2025-29635 (CVSS score: 7.5) represents a command injection vulnerability found in the end-of-life D-Link DIR-823X series routers. This specific flaw allows an authorized attacker to execute arbitrary commands on remote devices simply by sending a POST request to the vulnerable /goform/set_prohibiting endpoint.
Despite both SimpleHelp vulnerabilities being classified as “Unknown” regarding their use in ransomware campaigns, earlier reports from cybersecurity firms such as Field Effect and Sophos indicated that these vulnerabilities had been utilized as a stepping stone in previous ransomware attacks. Notably, one such campaign has been linked to the notorious DragonForce ransomware operation, underscoring the potential dangers posed by these exploits.
Additionally, the exploitation of CVE-2024-7399 has been associated with malicious activities that deploy the Mirai botnet. This connection raises concerns about the vulnerability not only affecting data integrity but also contributing to broader network compromise. Meanwhile, CVE-2025-29635 has been highlighted by Akamai, which noted attempts against D-Link devices involving a variant of the Mirai botnet called “tuxnokill.”
Given the nature and potential impact of these vulnerabilities, CISA recommends that Federal Civilian Executive Branch (FCEB) agencies take immediate action. For agencies using the affected systems, it is critical to implement the necessary patches to protect against these active threats. In instances where the CVE-2025-29635 vulnerability is present, agencies are urged to discontinue the use of the device by May 8, 2026. This deadline highlights the urgency for users to address the vulnerabilities to safeguard their networks and systems from exploitations that could lead to devastating cyber incidents.
In summary, the addition of these vulnerabilities to the KEV catalog serves as a stern reminder of the evolving landscape of cybersecurity risks. With cyber criminals continuously seeking new methods of attack, vigilance and proactive measures are essential for organizations to mitigate potential risks associated with these vulnerabilities. By adhering to CISA’s recommendations and promptly applying necessary updates, federal agencies and other organizations can take significant steps toward reinforcing their defenses against these exploits and the threats they pose.