Executive Summary
On April 24, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation in the wild. The vulnerabilities include CVE-2024-7399 (Samsung MagicINFO 9 Server Path Traversal), CVE-2024-57726 (SimpleHelp Missing Authorization), CVE-2024-57728 (SimpleHelp Path Traversal), and CVE-2025-29635 (D-Link DIR-823X Command Injection). These vulnerabilities are commonly targeted by malicious actors and pose significant risks to federal enterprises.
The inclusion of these vulnerabilities in the KEV Catalog underscores the ongoing threat posed by unpatched software. Organizations are urged to prioritize remediation efforts to mitigate potential exploitation and protect their networks from active threats.
Why This Matters Now
The addition of these vulnerabilities to the KEV Catalog highlights the immediate need for organizations to address known security flaws actively exploited by cyber adversaries. Prompt remediation is essential to safeguard systems against potential breaches and data compromises.
Attack Path Analysis
Attackers exploited vulnerabilities in SimpleHelp software to gain initial access, escalated privileges to administrator, moved laterally within the network, established command and control channels, exfiltrated sensitive data, and caused significant operational impact.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited vulnerabilities in SimpleHelp software (CVE-2024-57726, CVE-2024-57728) to gain unauthorized access to the system.
Related CVEs
CVE-2024-7399
CVSS 9.8Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary files as system authority.
Affected Products:
Samsung MagicINFO 9 Server – < 21.1050
Exploit Status:
exploited in the wildCVE-2024-57726
CVSS 9.9SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions, which can be used to escalate privileges to the server admin role.
Affected Products:
SimpleHelp SimpleHelp – <= 5.5.7
Exploit Status:
exploited in the wildCVE-2024-57728
CVSS 7.2SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file, which can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.
Affected Products:
SimpleHelp SimpleHelp – <= 5.5.7
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Valid Accounts
File and Directory Discovery
Network Service Scanning
Impair Defenses
Remote Services
Data Destruction
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face mandatory remediation requirements under BOD 22-01 for Samsung MagicINFO, SimpleHelp, and D-Link vulnerabilities actively exploited by threat actors.
Health Care / Life Sciences
Healthcare organizations using Samsung display systems and SimpleHelp remote access tools face HIPAA compliance risks from path traversal and authorization bypass vulnerabilities.
Information Technology/IT
IT service providers managing SimpleHelp remote access infrastructure and Samsung digital signage solutions require immediate patching against active path traversal and command injection exploits.
Financial Services
Financial institutions utilizing affected Samsung MagicINFO systems and D-Link network equipment face regulatory compliance violations and potential data exfiltration through known exploited vulnerabilities.
Sources
- CISA Adds Four Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/04/24/cisa-adds-four-known-exploited-vulnerabilities-catalogVerified
- Security Updates - Samsung TV & Appliancehttps://security.samsungtv.com/securityUpdatesVerified
- Security Vulnerabilities in SimpleHelp 5.5.7 and Earlierhttps://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlierVerified
- Critical Vulnerabilities in SimpleHelp Remote Support Softwarehttps://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, establish command and control channels, and exfiltrate data, thereby reducing the overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial access may still occur, the attacker's ability to escalate privileges and move laterally would likely be constrained.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing the scope of their access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally would likely be constrained, reducing their reach within the network.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing their ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate data would likely be constrained, reducing the potential data loss.
The overall impact of the attack would likely be reduced due to constrained attacker activities.
Impact at a Glance
Affected Business Functions
- Remote Support Services
- Digital Signage Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of administrative credentials and sensitive configuration files.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Utilize Multicloud Visibility & Control to monitor and manage security policies across cloud environments.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
