CISA Flags Actively Exploited Samsung, SimpleHelp, and D-Link Vulnerabilities
CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation affecting Samsung MagicINFO 9 Server, SimpleHelp, and D-Link DIR-823X devices. The newly listed flaws are CVE-2024-7399 in Samsung MagicINFO, CVE-2024-57726 and CVE-2024-57728 in SimpleHelp, and CVE-2025-29635 in D-Link DIR-823X. The Samsung issue allows unauthenticated attackers to upload JSP files and execute code with system-level privileges, while the D-Link flaw is a command injection bug that Akamai said is being exploited by a Mirai botnet through crafted POST requests.
The two SimpleHelp vulnerabilities are especially concerning because they can be chained from a low-privileged technician account into full server and downstream host compromise, a pattern linked to ransomware precursor activity. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must remediate the KEV-listed flaws by May 8, 2026, and CISA urged broader patching and review as attackers increasingly target peripheral infrastructure such as remote support platforms, digital signage servers, and SOHO edge devices.
Timeline
Apr 25, 2026
CISA sets May 8 remediation deadline for federal agencies
Under Binding Operational Directive 22-01, CISA required Federal Civilian Executive Branch agencies to remediate the newly listed KEV vulnerabilities by 2026-05-08. Private organizations were also urged to review and patch affected systems.
Apr 25, 2026
CISA adds Samsung, SimpleHelp, and D-Link flaws to the KEV catalog
CISA added four vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2024-7399 in Samsung MagicINFO 9 Server, CVE-2024-57726 and CVE-2024-57728 in SimpleHelp, and CVE-2025-29635 in D-Link DIR-823X. The agency cited evidence of active exploitation for all four flaws.
Apr 25, 2026
Akamai reports Mirai exploiting D-Link DIR-823X command injection flaw
Akamai reported that a Mirai botnet was exploiting CVE-2025-29635 in D-Link DIR-823X routers using crafted POST requests. This established active exploitation of the D-Link vulnerability in the wild.
Apr 25, 2026
Public PoC release is followed by exploitation of Samsung MagicINFO flaw
Researchers observed exploitation of CVE-2024-7399 in Samsung MagicINFO 9 Server shortly after public proof-of-concept code was released. The flaw allows unauthenticated attackers to upload JSP files and execute code with system-level privileges.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Affected Products
Sources
Related Stories
Active Exploitation of Critical Enterprise Software Vulnerabilities Added to CISA KEV
Multiple **critical, unauthenticated remote code execution and authentication-bypass vulnerabilities** in widely deployed enterprise products were reported as **actively exploited** and, in several cases, added to CISA’s **Known Exploited Vulnerabilities (KEV)** catalog. SmarterTools *SmarterMail* is being targeted in **ransomware** activity via **CVE-2026-24423**, an unauthenticated RCE caused by missing authentication on the `ConnectToHub` API (`/api/v1/settings/sysadmin/connect-to-hub`), where an attacker-controlled server can return JSON containing a `CommandMount` value that drives arbitrary command execution; the issue affects versions prior to `v100.0.9511`. Separately, SolarWinds *Web Help Desk* is affected by **CVE-2025-40551** (CVSS 9.8), a **deserialization of untrusted data** flaw in the `AjaxProxy` component enabling remote, unauthenticated command execution; CISA added it to KEV amid in-the-wild exploitation and set an accelerated patch deadline for US federal agencies. In parallel, Fortinet environments using **FortiCloud SSO** face authentication-bypass risk from **CVE-2025-59718**, **CVE-2025-59719**, and **CVE-2026-24858**, which can allow an attacker with a FortiCloud account to log into organizations’ **FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb** if SSO is enabled; Kaspersky published **SIEM correlation rules** to detect related suspicious logins and admin actions. Samsung *MagicInfo 9 Server* (digital signage management) was also reported with a trio of severe flaws affecting versions prior to `21.1090.1`, including **CVE-2026-25202** (hardcoded credentials, CVSS 9.8) and **CVE-2026-25201** (unauthenticated arbitrary file upload leading to RCE, CVSS 8.8), creating risk of server takeover and potential network compromise; the article does not indicate KEV inclusion or confirmed exploitation for these MagicInfo issues.
1 months ago
CISA Adds Array Networks and D-Link Vulnerabilities to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: a command injection flaw in Array Networks ArrayOS AG VPN devices (CVE-2025-66644) and a buffer overflow in D-Link Go-RT-AC750 routers (CVE-2022-37055). The Array Networks vulnerability affects versions before 9.4.5.9 and has been exploited since August 2025, primarily targeting Japanese organizations, allowing attackers to deploy PHP webshells and create rogue user accounts. The D-Link vulnerability impacts end-of-life routers, enabling remote code execution and lateral movement, with no official patches available, prompting recommendations for device retirement and additional mitigations. Federal agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by specified deadlines, while all organizations are strongly urged to prioritize patching and mitigation efforts. CISA emphasizes the persistent risk posed by vulnerabilities in VPN appliances and legacy routers, recommending immediate action such as patching, isolating affected hardware, and integrating KEV feeds into vulnerability management processes to reduce exposure to active cyber threats.
1 months ago
CISA Flags Actively Exploited Microsoft Configuration Manager RCE (CVE-2024-43468)
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) added **CVE-2024-43468** to its Known Exploited Vulnerabilities (KEV) catalog after determining the flaw is being **actively exploited in the wild**. The vulnerability is a **critical (CVSS 9.8) SQL injection** in *Microsoft Configuration Manager* (ConfigMgr/SCCM) that can allow an **unauthenticated remote attacker** to achieve **remote code execution** by sending specially crafted requests, enabling command execution on the ConfigMgr server and/or its underlying site database with **high/`SYSTEM`-level impact**. CISA set a remediation deadline of **March 5** for U.S. Federal Civilian Executive Branch agencies under its Binding Operational Directive requirements; public reporting noted Microsoft’s advisory had previously assessed exploitation as “less likely,” and Microsoft had not (as of reporting) publicly detailed the threat actors or scope of exploitation. The issue was originally patched by Microsoft in **October 2024** after being reported by **Synacktiv**, and proof-of-concept exploit code was later published (including by Synacktiv), lowering the barrier to weaponization. Separate CISA KEV updates the same week also drove patching urgency across other widely deployed products (including **SolarWinds Web Help Desk** and multiple **Apple** platforms for a reportedly “extremely sophisticated” targeted attack), reinforcing that organizations should treat KEV additions as a high-confidence signal to accelerate patching and exposure reduction—particularly for internet-reachable management tooling like ConfigMgr that can provide broad administrative control if compromised.
1 months ago