Executive Summary
In April 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities affecting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. These vulnerabilities include CVE-2024-57726, a missing authorization flaw in SimpleHelp allowing privilege escalation; CVE-2024-57728, a path traversal issue in SimpleHelp enabling arbitrary file uploads; CVE-2024-7399, a path traversal vulnerability in Samsung MagicINFO 9 Server permitting arbitrary file writes; and CVE-2025-29635, a command injection flaw in D-Link DIR-823X routers allowing remote command execution. Federal agencies are mandated to address these vulnerabilities by May 8, 2026.
The inclusion of these vulnerabilities in the KEV catalog underscores the persistent threat posed by unpatched software in critical infrastructure. Organizations are urged to prioritize remediation efforts to mitigate potential exploitation, especially as some of these vulnerabilities have been linked to ransomware campaigns and botnet deployments in the past.
Why This Matters Now
The addition of these vulnerabilities to CISA's KEV catalog highlights the ongoing risk of unpatched software being actively exploited. Immediate remediation is crucial to prevent potential breaches, data loss, and service disruptions, particularly given the historical association of some of these flaws with ransomware and botnet activities.
Attack Path Analysis
Attackers exploited vulnerabilities in SimpleHelp and Samsung MagicINFO 9 Server to gain initial access. They escalated privileges by creating API keys with excessive permissions. Lateral movement was achieved by exploiting path traversal vulnerabilities to execute arbitrary code. Command and control were established through compromised systems. Data exfiltration occurred via unauthorized file uploads. The impact included deployment of ransomware and botnet malware.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited missing authorization and path traversal vulnerabilities in SimpleHelp and Samsung MagicINFO 9 Server to gain unauthorized access.
Related CVEs
CVE-2024-57726
CVSS 9.9A missing authorization vulnerability in SimpleHelp allows low-privileged technicians to create API keys with excessive permissions, enabling escalation to server admin role.
Affected Products:
SimpleHelp SimpleHelp – <= 5.5.7
Exploit Status:
exploited in the wildCVE-2024-57728
CVSS 7.2A path traversal vulnerability in SimpleHelp allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file, potentially leading to arbitrary code execution.
Affected Products:
SimpleHelp SimpleHelp – <= 5.5.7
Exploit Status:
exploited in the wildCVE-2024-7399
CVSS 9.8A path traversal vulnerability in Samsung MagicINFO 9 Server allows an attacker to write arbitrary files as system authority.
Affected Products:
Samsung MagicINFO 9 Server – 9
Exploit Status:
exploited in the wildCVE-2025-29635
CVSS 7.2A command injection vulnerability in end-of-life D-Link DIR-823X series routers allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting.
Affected Products:
D-Link DIR-823X – All
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Create Account
Account Manipulation
Use Alternate Authentication Material
Local Accounts
Cloud Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Limit access to system components and cardholder data to only those individuals whose job requires such access.
Control ID: 7.2.1
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: Pillar 2: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face critical vulnerability exploitation risks in network infrastructure, requiring immediate KEV catalog compliance and enhanced zero trust segmentation.
Health Care / Life Sciences
Healthcare organizations vulnerable to lateral movement attacks through unpatched systems, threatening HIPAA compliance and patient data protection via encrypted traffic monitoring.
Financial Services
Banking institutions at risk from SimpleHelp and router vulnerabilities enabling privilege escalation attacks, requiring strengthened egress security and anomaly detection capabilities.
Information Technology/IT
IT service providers face exposure through remote access tools and network equipment vulnerabilities, necessitating enhanced multicloud visibility and threat detection systems.
Sources
- CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadlinehttps://thehackernews.com/2026/04/cisa-adds-4-exploited-flaws-to-kev-sets.htmlVerified
- CVE-2024-57726: SimpleHelp Privilege Escalation Vulnerabilityhttps://www.sentinelone.com/vulnerability-database/cve-2024-57726/Verified
- CVE-2024-57726 Impact, Exploitability, and Mitigation Stepshttps://www.wiz.io/vulnerability-database/cve/cve-2024-57726Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been constrained by limiting unauthorized access to critical systems.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited by enforcing least-privilege access policies.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may have been constrained by monitoring and controlling east-west traffic.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control channels could have been limited by providing comprehensive visibility across multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may have been constrained by enforcing strict egress policies.
The overall impact of the attack could have been limited by reducing the attacker's ability to deploy malware across systems.
Impact at a Glance
Affected Business Functions
- Remote Support Services
- Digital Signage Management
- Network Infrastructure
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive client data and administrative credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of malware.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch systems to mitigate known vulnerabilities and reduce the attack surface.
