The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added four vulnerabilities affecting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The list of vulnerabilities is below –
CVE-2024-57726 (CVSS Score: 9.9) – A missing authentication vulnerability in SimpleHelp could be used by a low-privileged technician to create an API key with excessive privileges and escalate its privileges to the server administrator role. CVE-2024-57728 (CVSS score: 7.2) – SimpleHelp path traversal vulnerability. This allows an administrative user to upload arbitrary files to any location on the file system by uploading a specially crafted zip file (i.e. a zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user. CVE-2024-7399 (CVSS score: 8.8) – A path traversal vulnerability in Samsung MagicINFO 9 Server could allow an attacker to write arbitrary files with system privileges. CVE-2025-29635 (CVSS Score: 7.5) – Command injection vulnerability in the end-of-life D-Link DIR-823X series routers allows an authorized attacker to execute arbitrary commands on a remote device by sending a POST request to /goform/set_prohibiting via the corresponding function.
Both SimpleHelp flaws are marked as “Unknown” for “Known to be used in ransomware campaigns?” Field Effect and Sophos metrics and reports revealed that this issue was being exploited as a precursor to a ransomware attack early last year. One such campaign is believed to be from the DragonForce ransomware operation.
Exploitation of CVE-2024-7399 has previously been associated with malicious activity deploying the Mirai botnet. Regarding CVE-2025-29635, Akamai disclosed earlier this week that it had recorded an attempt to deliver a Mirai botnet variant named “tuxnokill” against D-Link devices.
To mitigate the ongoing threat, Federal Civilian Executive Branch (FCEB) agencies are encouraged to apply a fix or, in the case of CVE-2025-29635, remove the appliance from service by May 8, 2026.
Source link
