CISA KEV: 4 Exploited CVEs — SimpleHelp, Samsung MagicINFO, D-Link — May 8 Deadline

CISA added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on April 24, 2026. Three products are affected: SimpleHelp remote monitoring and management software, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers. Federal Civilian Executive Branch agencies must patch or discontinue use by May 8, 2026. Active exploitation is confirmed: SimpleHelp flaws are being used as ransomware precursors by the DragonForce operation; the Samsung and D-Link flaws are being exploited by Mirai botnet variants.

The four CVEs span severity from critical (CVSS 9.9) down to high (7.2-8.8). The SimpleHelp CVSS 9.9 flaw is the most dangerous — it allows a low-privileged technician account to escalate to server admin with no additional authentication. In environments where SimpleHelp manages hundreds of endpoints, this escalation path gives an attacker complete infrastructure access within seconds of initial entry.

CVE-2024-57726: SimpleHelp Missing Authorization (CVSS 9.9)

This is the critical one. CVE-2024-57726 is a missing authorization vulnerability in SimpleHelp's API layer. A low-privileged technician account — the kind granted to IT contractors and helpdesk staff — can create API keys with permissions exceeding the technician's own role. Those over-permissioned API keys can then be used to escalate privileges to the server administrator role.

The exploitation path is: obtain any technician-level account (trivial via credential stuffing or purchasing leaked credentials), create an over-permissioned API key using the vulnerable endpoint, use that key to take the server admin role, then pivot to all managed endpoints with full administrative access.

Field Effect and Sophos reported this flaw being exploited as a ransomware precursor — specifically by the DragonForce ransomware operation. DragonForce uses the SimpleHelp admin escalation to gain control of managed endpoint fleets, then deploys ransomware payload simultaneously across all managed devices, maximising impact before defenders can respond.

If your organisation uses SimpleHelp for remote monitoring or endpoint management, treat CVE-2024-57726 as a critical incident requiring immediate response — not a routine patch cycle item.

CVE-2024-57728: SimpleHelp Path Traversal (CVSS 7.2)

The second SimpleHelp CVE is a path traversal (zip-slip) vulnerability. An admin user can upload a crafted ZIP archive that extracts files outside the intended upload directory, writing arbitrary files anywhere on the filesystem. On most deployments, this translates to arbitrary code execution — writing a web shell, a startup script, or overwriting a service binary that SimpleHelp will execute on restart.

This is a post-escalation tool — it requires admin access to exploit. The attack chain typically goes: CVE-2024-57726 (escalate to admin) then CVE-2024-57728 (write persistent backdoor). The two CVEs in combination represent a complete compromise chain from technician credentials to persistent server-level code execution.

CVE-2024-7399: Samsung MagicINFO 9 Server (CVSS 8.8)

Samsung MagicINFO 9 is the server software managing Samsung commercial digital signage displays — used in airports, shopping centres, hospitals, corporate lobbies, and retail environments. CVE-2024-7399 is a path traversal vulnerability that allows an attacker to write arbitrary files with SYSTEM privileges.

Exploitation has been linked to Mirai botnet variant campaigns. The Mirai family targets networked devices with default credentials or publicly disclosed vulnerabilities, conscripts them into DDoS botnets, and has been expanding its target set beyond IP cameras and routers to commercial display management systems.

Organisations running Samsung digital signage infrastructure face two risks: DDoS botnet conscription (the primary Mirai use case), and the more severe possibility that a sophisticated attacker uses the SYSTEM file write to deploy persistent malware on the signage server, which may sit on internal networks with access to more sensitive systems than its external-facing role implies.

Patch CVE-2024-7399 by upgrading to MagicINFO 9 Server version 21.1050 or later. Samsung published the patch in August 2024 — a deployment lag of 8+ months is why it is now in CISA KEV with confirmed active exploitation.

CVE-2025-29635: D-Link DIR-823X Command Injection (CVSS 7.5)

D-Link DIR-823X is an end-of-life router series. CVE-2025-29635 is a command injection vulnerability via a POST request to /goform/set_prohibiting — an authorized attacker can execute arbitrary OS commands on the device.

D-Link stopped support for the DIR-823X in 2024. There is no patch. CISA's guidance for this specific CVE is to discontinue use of the device — not to apply a fix, because no fix exists. Any D-Link DIR-823X router still in production is an unmitigatable vulnerability until it is physically replaced.

This is increasingly common in the KEV catalog: end-of-life hardware with confirmed active exploitation where the only remediation is hardware replacement. The Mirai botnet has been actively targeting DIR-823X devices, and the command injection provides persistent device control.

DragonForce Ransomware: The SimpleHelp Connection

DragonForce is a ransomware-as-a-service operation first observed in 2023. It has been escalating in scope and targeting throughout 2024-2026, including attacks on retail chains, logistics companies, and managed service providers. The SimpleHelp exploitation confirms DragonForce's M.O.: targeting RMM (Remote Monitoring and Management) software as an initial access vector provides immediate access to all endpoints the RMM manages.

An MSP running SimpleHelp to manage 200 client environments is, from DragonForce's perspective, a single point of compromise that yields 200 simultaneous ransomware deployment opportunities. The ROI on RMM software exploitation vastly exceeds endpoint-by-endpoint attack methods. This is why CISA, FBI, and CISA's Joint Cyber Defense Collaborative have been explicitly warning about RMM software targeting since 2023.

The SimpleHelp CVEs are not new vulnerabilities — they were disclosed in early 2025. The 12+ month exploitation window before KEV addition reflects the slow patch cycle at MSPs and enterprises running SimpleHelp in production. If you have not patched, you have been at risk for over a year.

What Developers and IT Teams Need to Do Now

If you run SimpleHelp:

Patch immediately to the current release (5.5.8 or later). Audit technician accounts and revoke any accounts with more permissions than operationally required. Rotate all API keys. Review logs for evidence of CVE-2024-57726 exploitation (unusual API key creation events, privilege escalation in audit logs). Treat any SimpleHelp instance that has not been patched in the last 12 months as potentially compromised.

If you run Samsung MagicINFO 9:

Upgrade to version 21.1050 or later. Audit network segmentation — MagicINFO servers that have access to internal networks beyond display management are higher-risk targets.

If you run D-Link DIR-823X:

Replace the device. There is no patch and no mitigation. These routers are actively being conscripted into Mirai botnets and can be used as pivot points into internal networks.

For all CI/CD and monitoring pipelines:

Add CVE-2024-57726, CVE-2024-57728, CVE-2024-7399, and CVE-2025-29635 to your vulnerability scanner's priority list. If your security tooling auto-imports the CISA KEV catalog, these will appear automatically — verify they are triggering alerts in your environment.

Key Takeaways

• CISA added 4 CVEs on April 24, 2026: SimpleHelp (CVSS 9.9 + 7.2), Samsung MagicINFO 9 (CVSS 8.8), D-Link DIR-823X (CVSS 7.5); federal FCEB agencies must patch or discontinue by May 8
• CVE-2024-57726 is the critical one: technician-to-admin escalation with no additional authentication; DragonForce ransomware using it as MSP fleet attack precursor
• Samsung MagicINFO 9 + D-Link tied to Mirai botnet: patch MagicINFO to 21.1050+; D-Link DIR-823X has no patch — replace the device
• DragonForce RMM targeting: ransomware operators targeting SimpleHelp specifically because MSP compromise = simultaneous access to all managed client environments
• 12+ month exploitation gap: CVEs from 2024 still exploited in 2026 because patch cycles at MSPs and enterprises are slow — if you run any of these products unpatched, treat as potentially compromised now
• D-Link DIR-823X: end-of-life, no fix, CISA says discontinue use — any device still in production is an unmitigatable network exposure

For the broader 2026 cyberattack landscape, read UK NCSC Warning: Iran, China, Russia Seismic Cyberattack Risk. For the Cisco SD-WAN federal patch context, read CISA Cisco SD-WAN CVE Federal Patch Deadline. Use the Email Spoof Checker to verify your domain is not being used in DragonForce phishing campaigns targeting your clients.