The US Cybersecurity and Infrastructure Security Agency (CISA) on Friday added four vulnerabilities affecting SimpleHelp, Samsung MagicINFO 9 Server and D-Link DIR-823X series routers to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The list of weaknesses is below –
- CVE-2024-57726 (CVSS Score: 9.9) – A missing authorization vulnerability in SimpleHelp that could allow low-privileged technicians to create an API key with excessive permissions, which could be used to escalate privileges to the Server Administrator role.
- CVE-2024-57728 (CVSS Score: 7.2) – A path traversal vulnerability in SimpleHelp that allows administrator users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e., zip slip), which can be used to execute arbitrary code on the host in the context of a SimpleHelp server user.
- CVE-2024-7399 (CVSS Score: 8.8) – A path traversal vulnerability in Samsung MagicInfo 9 Server that could allow an attacker to write arbitrary files as system authorization.
- CVE-2025-29635 (CVSS Score: 7.5) – A command injection vulnerability in end-of-life D-Link DIR-823X series routers that allows an authenticated attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function.
While both of SimpleHelp’s flaws are “known to be used in ransomware campaigns?” has been marked as “unknown”. Reports from Indicator, Field Effect and Sophos in the KEV catalog early last year revealed that the issues were exploited as a precursor to ransomware attacks. One such campaign was attributed to the DragonForce ransomware operation.
The CVE-2024-7399 exploit has been linked to malicious activity deploying the Mirai botnet in the past. For CVE-2025-29635, Akamai revealed earlier this week that it recorded attempts to deliver a Mirai botnet variant named “Tuxnokill” against D-Link devices.
To mitigate active threats, federal civilian executive branch (FCEB) agencies are recommended to implement fixes or, in the case of CVE-2025-29635, stop using the tool by May 8, 2026.
