The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog with four new entries, citing confirmed evidence of active exploitation across remote support infrastructure, digital signage management, and consumer-grade edge networking gear. Federal Civilian Executive Branch (FCEB) agencies are required to remediate all four by May 8, 2026, under Binding Operational Directive (BOD) 22-01.
CVE-2024-7399 — Samsung MagicINFO 9 Server | Path Traversal
Samsung MagicINFO 9 Server, a centralized content management platform used for enterprise digital signage deployments, contains a path traversal vulnerability that allows an unauthenticated remote attacker to read arbitrary files outside the intended web root directory. The flaw exists in improper sanitization of file path inputs within the server’s HTTP-accessible interface.
Successful exploitation enables an attacker to retrieve configuration files, stored credentials, session tokens, and potentially sensitive business content served through managed displays. In enterprise environments, MagicINFO instances are frequently exposed on internal networks with limited egress filtering, making lateral movement a realistic post-exploitation outcome.
Affected versions: MagicINFO 9 Server prior to the patched release.
Remediation: Apply Samsung’s official security update. Restrict access to the MagicINFO administrative interface to trusted IP ranges at the network perimeter. Disable public-facing exposure of the management console where operationally feasible.
CVE-2024-57726 — SimpleHelp | Missing Authorization | CVSS 9.9
SimpleHelp remote support software contains a critical missing authorization vulnerability in its API key management layer. Low-privileged technician accounts can invoke API endpoints that should be restricted to server administrators, enabling creation of API keys with elevated — including server admin-level — permissions.
The flaw does not require any interaction from a higher-privileged user and can be exploited by any authenticated technician account. Once an attacker obtains a technician credential (via phishing, credential stuffing, or insider access), they can silently escalate to full server administrative control. CISA has flagged this vulnerability class as a known precursor technique in ransomware deployment chains.
Affected versions: SimpleHelp 5.5.7 and earlier.
Remediation: Upgrade to SimpleHelp 5.5.8 or later per the vendor’s January 2025 security advisory. Audit all API key grants and revoke any unexplained high-privilege keys. Enforce MFA on all technician accounts accessing the SimpleHelp console.
CVE-2024-57728 — SimpleHelp | Path Traversal
A companion flaw to CVE-2024-57726, this path traversal vulnerability in SimpleHelp allows an attacker — particularly one who has escalated privileges through the missing authorization flaw — to access or overwrite files outside the application’s intended directory structure on the host server.
When chained with CVE-2024-57726, an adversary can progress from low-privileged technician access → API key escalation → server admin → arbitrary file write, achieving a full compromise of the underlying host without any legitimate administrative credential. The chain has the characteristics of a high-confidence ransomware precursor sequence.
Affected versions: SimpleHelp 5.5.7 and earlier.
Remediation: Same patch vector as CVE-2024-57726 — upgrade to SimpleHelp 5.5.8 or later. Treat both CVEs as a single attack chain; patching one without the other does not eliminate the composite risk.
CVE-2025-29635 — D-Link DIR-823X | Command Injection
The D-Link DIR-823X series router contains a command injection vulnerability in its management interface that allows an attacker to execute arbitrary OS-level commands on the affected device. The flaw resides in improper input validation of user-supplied parameters passed to underlying shell routines.
D-Link DIR-823X routers are consumer-grade edge devices commonly deployed in small office and home office (SOHO) environments, as well as on the periphery of mid-market enterprise networks. Their lifecycle management is typically poor — firmware updates are infrequent, and many units continue operating long past vendor support windows. Command injection on these devices enables full router compromise: traffic interception, persistent backdoor implantation, lateral pivot into adjacent network segments, and botnet recruitment.
Affected versions: DIR-823X series; check vendor advisory for specific firmware versions.
Remediation: Apply the latest D-Link firmware update where available. For end-of-life devices no longer receiving patches, CISA’s standard guidance applies — discontinue use or implement network-level compensating controls (VLAN isolation, restrictive ACLs, disabling remote management). Do not expose the router’s administrative interface to the internet under any circumstances.
Analyst Perspective
This batch is operationally significant for its product diversity. Two SimpleHelp CVEs forming a privilege escalation chain reflect a recurring pattern in KEV additions — individual flaws that appear moderate in isolation but become critical when chained. The MagicINFO addition signals that digital signage and AV-over-IP infrastructure is increasingly in scope for threat actors, particularly in environments where these systems share network segments with corporate assets. The D-Link inclusion continues CISA’s sustained pressure on SOHO and SMB edge device hygiene — a category that remains chronically under-patched across both the private sector and federal supply chains.
All four CVEs carry the implicit message: if it connects to your network and it’s running vulnerable software, it is a foothold candidate regardless of how peripheral it appears.
