Exploited SimpleHelp, Samsung, and D‑Link vulnerabilities added to CISA’s KEV catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog to include newly identified security flaws impacting products from SimpleHelp, Samsung, and D‑Link. Inclusion in the KEV catalog indicates that CISA is aware of active exploitation in real‑world attacks.

Vulnerabilities added to the KEV catalog

The following issues were added in the latest update:

• CVE‑2024‑7399 – Samsung MagicINFO 9 Server Path Traversal
• CVE‑2024‑57726 – SimpleHelp Missing Authorization
• CVE‑2024‑57728 – SimpleHelp Path Traversal
• CVE‑2025‑29635 – D‑Link DIR‑823X Command Injection

Samsung MagicINFO exploitation details

The most severe of the listed flaws, CVE‑2024‑7399, carries a CVSS score of 8.8 and affects Samsung MagicINFO 9 Server versions earlier than 21.1050. The issue stems from improper restriction of file paths, allowing attackers to escape intended directories. By exploiting this weakness, a remote attacker can write arbitrary files to the server with system‑level privileges.

In May 2025, researchers at Arctic Wolf observed threat actors actively exploiting this vulnerability in Samsung’s MagicINFO content management system (CMS). The activity was detected only days after proof‑of‑concept (PoC) exploit code became publicly available, highlighting how quickly attackers moved to weaponize the flaw.

At its core, CVE‑2024‑7399 is an input validation failure that allows unauthenticated attackers to upload malicious JSP files and subsequently execute code with system authority. Although Samsung initially disclosed the vulnerability in August 2024, there was no evidence of exploitation at that time. This changed rapidly after a PoC was released on April 30, 2025, prompting a surge in observed attacks. Due to the simplicity of exploitation and the availability of public exploit code, researchers expect continued abuse.

Samsung resolved the issue with the release of MagicINFO 9 Server version 21.1050 in August 2024, and customers running earlier versions are urged to upgrade.

D‑Link DIR‑823X under active attack

Another vulnerability added to the KEV catalog is CVE‑2025‑29635, which affects the D‑Link DIR‑823X router. This flaw enables command injection due to unsafe handling of attacker‑controlled input that is copied without sufficient validation.

Following public disclosure of a proof‑of‑concept exploit, Akamai researchers reported active exploitation by a Mirai‑based botnet. The attacks leverage specially crafted HTTP POST requests to compromise vulnerable devices and incorporate them into malicious botnet activity.

SimpleHelp vulnerabilities enable privilege escalation

The remaining two vulnerabilities impact SimpleHelp and pose serious risks to affected deployments:

• CVE‑2024‑57726 (CVSS 9.9): This authorization flaw allows technicians with limited privileges to generate API keys that grant elevated permissions. Exploitation can lead to a complete takeover of the SimpleHelp server with full administrative access.

• CVE‑2024‑57728 (CVSS 7.2): A path traversal vulnerability, commonly referred to as a zip slip issue, permits administrative users to upload specially crafted ZIP archives. These archives can place arbitrary files on the server, potentially resulting in remote code execution under the SimpleHelp server user account.

Compliance deadlines and mitigation guidance

Under Binding Operational Directive (BOD) 22‑01, federal civilian executive branch (FCEB) agencies are required to remediate all vulnerabilities listed in the KEV catalog by established deadlines. The directive is designed to reduce the significant risk posed by flaws that are already being exploited in the wild.

In addition to federal requirements, security professionals strongly advise private‑sector organizations to review the KEV catalog regularly and remediate any affected systems within their environments.

CISA has set a mandatory remediation deadline of May 8, 2026, for federal agencies to address these newly added vulnerabilities and ensure their networks are protected against ongoing exploitation.