CISA KEV Update: Samsung, SimpleHelp, and D-Link Flaws Exploited

Overview of the CISA KEV Catalog Expansion

On April 24, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog to include four new flaws affecting Samsung, SimpleHelp, and D-Link products. According to CISA, these vulnerabilities are being actively used by malicious actors in the wild. The inclusion of a CVE in the KEV catalog signifies that there is clear evidence of exploitation, moving these issues from theoretical risks to immediate operational threats.

While Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies remediate these specific vulnerabilities within a defined timeframe, the advisory serves as a high-priority warning for private sector SOC teams and security administrators as well. The types of flaws identified—path traversal, missing authorization, and command injection—represent common TTP sets used for initial access and internal network compromise.

Samsung MagicINFO 9 Server Path Traversal Exploit

The most prominent addition involves CVE-2024-7399, a path traversal vulnerability in the Samsung MagicINFO 9 Server. MagicINFO is a specialized content management platform used for digital signage and large-scale display networks. A Samsung MagicINFO 9 Server path traversal exploit allows an attacker to access files and directories outside of the intended web root, potentially leading to the exposure of sensitive configuration files or credentials.

In many enterprise environments, these servers are connected to internal networks, making them an attractive target for an APT looking to establish a foothold. If an attacker can read system files, they may facilitate Lateral Movement or escalate privileges within the display infrastructure. While the CVSS score was not explicitly detailed in the CISA advisory, the fact that it is being exploited in the wild elevates its priority to critical for organizations utilizing Samsung’s signage solutions.

Analysis of SimpleHelp Remote Access Flaws

Two vulnerabilities were added affecting SimpleHelp, a remote support and management software suite. Remote access tools are high-value targets because they are designed to bypass traditional perimeter security.

• CVE-2024-57726: This missing authorization vulnerability allows an attacker to perform actions that should be restricted to authenticated users. In the context of remote support, this could allow an adversary to hijack active sessions or gain unauthorized control over managed endpoints.
• CVE-2024-57728: This path traversal vulnerability in SimpleHelp provides another avenue for data exfiltration or system manipulation.

Implementing a SimpleHelp missing authorization mitigation strategy involves immediately updating to the latest software version provided by the vendor. Threat actors often target these tools to deploy Ransomware or steal intellectual property, as they provide an encrypted channel into the heart of a victim’s network.

D-Link DIR-823X Command Injection Vulnerability

The final addition is CVE-2025-29635, which affects D-Link DIR-823X routers. This is a command injection vulnerability, a particularly dangerous class of flaw that can lead to RCE. When a D-Link DIR-823X command injection vulnerability is exploited, an attacker can execute arbitrary system commands on the router’s operating system, often with high privileges.

Routers are frequently targeted for recruitment into botnets or to serve as a relay for further attacks. Because SOHO (Small Office/Home Office) equipment like the DIR-823X often lacks EDR or advanced monitoring, these compromises can go undetected for long periods. Security teams should scan their environments for these devices and ensure firmware is updated or, if the device is end-of-life, replace it with supported hardware.

Recommended Mitigation Strategies

Defenders should prioritize the following actions to address these threats:

1. Inventory Check: Use SIEM logs and asset discovery tools to identify any instances of Samsung MagicINFO 9 Server, SimpleHelp, or D-Link DIR-823X routers within the environment.
2. Patching: Apply the latest firmware and software updates immediately. For SimpleHelp, ensure that all client agents are also updated to prevent session hijacking.
3. Network Segmentation: Isolate management interfaces for digital signage and remote support tools. Ensure these services are not exposed to the public internet unless protected by a VPN or a verified Zero Trust access broker.
4. Log Monitoring: Review server logs for unusual directory traversal patterns (e.g., ../../) or unexpected system command execution originating from web-facing applications.