CISA adds 4 exploited flaws

CISA on April 24 added four actively exploited software flaws to its Known Exploited Vulnerabilities catalog and set a May 8 deadline for federal civilian agencies to act. (cisa.gov) The new entries are CVE-2024-7399 in Samsung MagicINFO 9 Server, CVE-2024-57726 and CVE-2024-57728 in SimpleHelp, and CVE-2025-29635 in the D-Link DIR-823X router. (cisa.gov) CISA’s catalog says all four were added on April 24, 2026, with the same remediation due date of May 8, 2026, for Federal Civilian Executive Branch agencies. (cisa.gov) SimpleHelp is remote support software used by information-technology teams and managed service providers to reach customer machines over the internet. A flaw there can turn a help-desk tool into a way into many downstream networks. (cisa.gov) The most severe of the four is CVE-2024-57726, which lets low-privileged SimpleHelp technicians create overpowered application programming interface keys and escalate to the server administrator role. The National Vulnerability Database lists that flaw at 9.9 on the Common Vulnerability Scoring System. (cisa.gov) (nvd.nist.gov) The second SimpleHelp bug, CVE-2024-57728, is a path traversal issue. CISA says an admin user can upload a crafted ZIP file anywhere on the file system, which can lead to code execution on the host running the SimpleHelp server. (cisa.gov) (nvd.nist.gov) Samsung’s CVE-2024-7399 is also a path traversal flaw. CISA says it can let attackers write arbitrary files as system authority on MagicINFO 9 Server, a content-management platform used to run digital signage. (cisa.gov) (nvd.nist.gov) The D-Link entry, CVE-2025-29635, is a command-injection bug in DIR-823X firmware versions 240126 and 240802. NVD says an authorized attacker can execute arbitrary commands remotely by sending a crafted POST request to `/goform/set_prohibiting`. (cisa.gov) (nvd.nist.gov) CISA only adds a bug to KEV when it has a CVE identifier, reliable evidence of active exploitation, and a clear remediation action such as a vendor update. The agency calls the catalog its authoritative list of vulnerabilities already being used in the wild. (cisa.gov 1) (cisa.gov 2) The federal deadline comes from Binding Operational Directive 22-01, which requires civilian agencies to fix KEV-listed flaws by the due date or follow formal exception processes. CISA says private companies and state and local governments are not bound by the directive but should still prioritize KEV items in patching plans. (cisa.gov 1) (cisa.gov 2) SimpleHelp has already appeared in CISA warnings before. In June 2025, the agency said ransomware actors had exploited unpatched SimpleHelp software since January 2025 and had used CVE-2024-57727 to reach customers of a utility billing software provider. (cisa.gov) That history is why a KEV update matters beyond four product names. Once a flaw lands in the catalog, federal agencies get a date on the calendar, and everyone else gets a signal that attackers are already ahead of slow patch cycles. (cisa.gov)