CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
CISA زادت 4 ثغرات خطيرة للّيستة ديالها: ردوا بالكم يا تقنيين!
CISA Adds Four Critical Vulnerabilities in SimpleHelp, Samsung, and D-Link to KEV Catalog
In the fast-moving landscape of global cybersecurity, Moroccan IT professionals and organizations must stay vigilant about vulnerabilities actively being exploited in the wild. This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog to include four new flaws affecting remote support software, digital signage servers, and popular networking hardware. These vulnerabilities represent immediate risks, with some already linked to ransomware operations and botnet expansions.
TL;DR
CISA has added four vulnerabilities (CVE-2024-57726, CVE-2024-57728, CVE-2024-7399, and CVE-2025-29635) to its KEV catalog, affecting SimpleHelp, Samsung MagicINFO, and D-Link DIR-823X routers. These flaws allow for privilege escalation, arbitrary file writes, and remote command execution. Federal agencies have until May 8, 2026, to remediate these issues, but Moroccan sysadmins should prioritize patching immediately to prevent ransomware and botnet infections.
Critical Flaws in SimpleHelp: A Precursor to Ransomware
SimpleHelp, a remote support software often used by MSPs (Managed Service Providers) and IT teams to manage remote workstations, has been hit with two major vulnerabilities.
- CVE-2024-57726 (CVSS 9.9): This is a "Missing Authorization" vulnerability. In technical terms, it means the software fails to properly check if a user has the right to perform a specific action. This allows low-privileged technicians to create API keys with excessive permissions, which can then be used to escalate their role to "Server Admin."
- CVE-2024-57728 (CVSS 7.2): This is a "Path Traversal" vulnerability, specifically a "Zip Slip" flaw. It allows an admin-level user to upload a specially crafted zip file that extracts files to anywhere on the host filesystem. This can lead to arbitrary code execution (ACE) on the server.
The Moroccan Context: While CISA officially lists the ransomware status of these flaws as "Unknown," security researchers from Field Effect and Sophos have linked these vulnerabilities to the DragonForce ransomware operation. For Moroccan companies providing remote technical support, an unpatched SimpleHelp server could serve as the entry point for a full-scale encryption attack.
Samsung MagicINFO 9: Writing Files as System Authority
Samsung MagicINFO is a powerful tool used for managing digital signage and large-scale displays. However, a significant flaw has been identified in the MagicINFO 9 Server.
- CVE-2024-7399 (CVSS 8.8): This is another "Path Traversal" vulnerability. It allows an attacker to write arbitrary files to the server's disk with System Authority privileges. In the world of Windows environments, System Authority is the highest level of privilege, meaning the attacker essentially has full control over the machine.
Historically, the exploitation of this specific vulnerability has been linked to the deployment of the Mirai botnet, which recruits compromised devices into a massive network used for Distributed Denial of Service (DDoS) attacks.
D-Link DIR-823X Routers: End-of-Life and Under Attack
The final vulnerability added to the catalog impacts the D-Link DIR-823X series routers.
- CVE-2025-29635 (CVSS 7.5): This is a "Command Injection" vulnerability. By sending a malicious POST request to a specific endpoint (
/goform/set_prohibiting), an authorized attacker can execute arbitrary commands on the remote device.
Technical Detail: Command Injection occurs when an application passes unsafe user-supplied data (such as forms or HTTP headers) to a system shell. In this case, it allows attackers to bypass intended restrictions and run their own code.
Risk Warning: According to reports from Akamai, this flaw is currently being exploited to deliver a Mirai botnet variant named "tuxnokill." Because these routers are now "End-of-Life" (EOL), the manufacturer will not be providing further security updates.
Mitigation and Deadlines
For Moroccan security practitioners, these additions to the CISA KEV catalog should serve as a high-priority work order. While the U.S. Federal Civilian Executive Branch (FCEB) has a hard deadline of May 8, 2026, to remediate these flaws, the active exploitation by ransomware groups means organizations should act much sooner.
Recommended Actions:
- SimpleHelp & Samsung: Immediately apply the latest security patches provided by the vendors.
- D-Link DIR-823X: Because these devices are EOL and no longer receive security updates, CISA recommends discontinuing use of the appliance entirely and replacing it with supported hardware.
- Audit Permissions: For SimpleHelp users, audit all existing API keys and technician accounts for any suspicious elevation of privileges.
By addressing these vulnerabilities today, Moroccan IT infrastructure stays one step ahead of the botnets and ransomware operators targeting these known weaknesses.
Source: The Hacker News - CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
