The Cybersecurity and Infrastructure Security Agency has expanded its Known Exploited Vulnerabilities catalog with four newly identified security flaws that are currently being abused in real world attacks. The update, issued on April 25, 2026, highlights vulnerabilities affecting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers. The agency has directed Federal Civilian Executive Branch agencies to remediate these issues by May 8, 2026, emphasizing the urgency due to confirmed exploitation activity.
Among the newly listed issues are two vulnerabilities in SimpleHelp, identified as CVE-2024-57726 and CVE-2024-57728. The first carries a critical CVSS score of 9.9 and stems from missing authorization controls, allowing low-privileged technicians to generate API keys with elevated permissions. This weakness can be leveraged to escalate access to administrator level within the server environment. The second flaw, with a CVSS score of 7.2, is a path traversal issue that enables administrators to upload malicious files across the system using crafted archive files. This could lead to arbitrary code execution under the privileges of the SimpleHelp server user. Although these vulnerabilities are not officially marked as linked to ransomware campaigns in the KEV catalog, earlier research from cybersecurity firms indicated their use in attacks associated with the DragonForce ransomware operation.
The third vulnerability, CVE-2024-7399, impacts Samsung MagicINFO 9 Server and has a CVSS score of 8.8. This flaw allows attackers to exploit path traversal weaknesses to write arbitrary files with system level privileges. Past incidents have connected this vulnerability to campaigns distributing variants of the Mirai botnet, a well known malware strain used to compromise networked devices for large scale attacks. Its inclusion in the KEV catalog signals continued exploitation and reinforces concerns about unsecured enterprise infrastructure platforms being targeted for botnet propagation.
The final vulnerability, CVE-2025-29635, affects end of life D-Link DIR-823X routers and has been assigned a CVSS score of 7.5. This issue involves command injection through a specific function endpoint, allowing authenticated attackers to execute arbitrary commands remotely. Security researchers recently observed attempts to exploit this flaw to deploy a Mirai variant called tuxnokill. Given that the affected devices are no longer supported, CISA has advised discontinuing their use entirely instead of attempting mitigation through patches or configuration changes.
CISA’s directive underscores the continued risk posed by unpatched or outdated systems, especially when vulnerabilities are actively exploited in the wild. The KEV catalog serves as a prioritized list for organizations to address critical security gaps, and the latest additions reflect ongoing trends in targeting remote management tools, media servers, and legacy networking hardware. Federal agencies are expected to comply within the set timeline, while private sector organizations are also encouraged to review their exposure and take appropriate action to reduce potential attack surfaces.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
