The Cybersecurity and Infrastructure Security Agency (CISA) in the United States has identified four vulnerabilities in SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers that are actively being exploited. These vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Here are the vulnerabilities listed by CISA:
- CVE-2024-57726 (CVSS score: 9.9) – SimpleHelp vulnerability that allows low-privileged technicians to escalate their privileges to the server admin role.
- CVE-2024-57728 (CVSS score: 7.2) – SimpleHelp vulnerability that enables admin users to upload arbitrary files and execute code on the host.
- CVE-2024-7399 (CVSS score: 8.8) – Samsung MagicINFO 9 Server vulnerability that allows attackers to write arbitrary files as system authority.
- CVE-2025-29635 (CVSS score: 7.5) – D-Link DIR-823X series routers vulnerability that permits attackers to execute arbitrary commands on remote devices.
The SimpleHelp vulnerabilities were used in ransomware campaigns, including the DragonForce ransomware operation. The exploitation of CVE-2024-7399 was associated with the Mirai botnet, while attempts to exploit CVE-2025-29635 involved a Mirai botnet variant named “tuxnokill.”
Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary fixes for the vulnerabilities or discontinue the use of the affected devices by May 8, 2026, to mitigate the active threats.
