CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
CISA added four actively exploited vulnerabilities to its KEV catalog, affecting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X routers, with a federal patch deadline of May 8, 2026.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaws affect SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers. Federal Civilian Federal Civilian Executive Branch (FCEB) agencies must apply fixes or discontinue affected devices by May 8, 2026.
The most severe of the newly added flaws are two vulnerabilities in SimpleHelp remote support software. CVE-2024-57726 (CVSS 9.9) is a missing authorization bug that allows low-privileged technicians to create API keys with excessive permissions, enabling privilege escalation to the server admin role. CVE-2024-57728 (CVSS 7.2) is a path traversal vulnerability that lets admin users upload arbitrary files via a crafted zip file (zip slip), leading to remote code execution on the host. Both flaws have been exploited in ransomware campaigns, including by the DragonForce ransomware operation, according to reports from Field Effect and Sophos.
The third vulnerability, CVE-2024-7399 (CVSS 8.8), is a path traversal flaw in Samsung MagicINFO 9 Server that allows an attacker to write arbitrary files as system authority. This bug has been linked to malicious activity deploying the Mirai botnet. The fourth, CVE-2025-29635 (CVSS 7.5), is a command injection vulnerability in end-of-life D-Link DIR-823X series routers. An authenticated attacker can execute arbitrary commands by sending a POST request to /goform/set_prohibiting. Akamai disclosed earlier this week that this flaw is being exploited to deliver a Mirai botnet variant named "tuxnokill."
CISA's KEV catalog serves as a mandatory directive for federal agencies, requiring them to remediate listed vulnerabilities by the specified deadline or discontinue use of the affected products. For CVE-2025-29635, which affects unsupported end-of-life devices, CISA explicitly recommends discontinuing the routers. The May 8, 2026 deadline gives agencies roughly two weeks to act.
The inclusion of these four vulnerabilities underscores the persistent threat posed by known, exploitable flaws in widely used software and hardware. The SimpleHelp vulnerabilities, in particular, highlight how remote support tools can become a vector for ransomware attacks when left unpatched. The Samsung MagicINFO and D-Link flaws demonstrate the continued risk from Internet of Things (IoT) devices and legacy infrastructure that often remain unmanaged.
Organizations outside the federal government are strongly urged to prioritize patching these vulnerabilities. For the D-Link DIR-823X routers, which are no longer supported, the only safe mitigation is to replace the devices. CISA's KEV catalog remains a critical resource for defenders, providing a curated list of vulnerabilities that are known to be exploited in the wild, enabling organizations to focus their limited resources on the most pressing threats.