CISA adds 4 exploited flaws to KEV

CISA on April 24 added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog and gave federal civilian agencies until May 8 to remediate them. (cisa.gov) The four entries are CVE-2024-7399 in Samsung MagicINFO 9 Server, CVE-2024-57726 and CVE-2024-57728 in SimpleHelp, and CVE-2025-29635 in the D-Link DIR-823X router. (cisa.gov) CISA’s catalog says both SimpleHelp flaws were added on April 24 with the same May 8 deadline, alongside the Samsung and D-Link entries. (cisa.gov) SimpleHelp is remote support software used by information technology teams and managed service providers to reach customer machines over the internet. A flaw there can turn a help desk tool into an entry point. (cisa.gov) (sophos.com) The highest-severity flaw in this batch is SimpleHelp CVE-2024-57726, which NIST’s National Vulnerability Database lists at CVSS 9.9. It lets a low-privileged technician create overpowered application programming interface keys and escalate to server administrator. (nvd.nist.gov) The second new SimpleHelp entry, CVE-2024-57728, is a path traversal bug sometimes described as a “zip slip.” NIST says an admin user can upload a crafted archive and write files anywhere on the server, enabling code execution. (nvd.nist.gov) Those two additions follow an earlier KEV listing for another SimpleHelp bug, CVE-2024-57727, which CISA added on February 13, 2025, with a March 6, 2025 remediation deadline. (nvd.nist.gov) CISA warned in a June 12, 2025 advisory that ransomware actors had likely exploited CVE-2024-57727 in unpatched SimpleHelp systems to reach downstream customers of a utility billing software provider. (cisa.gov) Microsoft said on April 6, 2026 that the Medusa-linked actor it tracks as Storm-1175 has been targeting vulnerable web-facing systems in the gap between disclosure and patching. Microsoft’s write-up is cited on NIST pages for both newly added SimpleHelp CVEs. (microsoft.com) (nvd.nist.gov 1) (nvd.nist.gov 2) For federal agencies, the KEV list is not just a warning feed. CISA says Binding Operational Directive 22-01 requires Federal Civilian Executive Branch agencies to remediate listed vulnerabilities by the due date. (cisa.gov 1) (cisa.gov 2) For everyone else, CISA’s message is narrower than “patch everything.” Fix the bugs attackers are already using first, especially in internet-facing management tools that can open the door to many customer systems at once. (cisa.gov 1) (cisa.gov 2)