CISA Adds 4 Critical Vulnerabilities to KEV Catalog with May 2026 Federal Deadline

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog with four critical vulnerabilities that are being actively exploited in the wild. This addition comes with a significant compliance deadline of May 2026 for federal agencies, highlighting the urgency of addressing these security flaws before they can cause widespread damage.

The Newly Added KEV Vulnerabilities

CISA's latest update includes the following vulnerabilities:

1. CVE-2024-57726 (CVSS score: 9.9) - A critical missing authorization vulnerability in SimpleHelp that allows low-privileged technicians to create API keys with excessive permissions, potentially enabling privilege escalation to server admin roles.

2. CVE-2024-57728 (CVSS score: 7.2) - A path traversal vulnerability in SimpleHelp that enables admin users to upload arbitrary files anywhere on the file system through crafted zip files (zip slip), potentially leading to arbitrary code execution.

3. CVE-2024-7399 (CVSS score: 8.8) - A path traversal vulnerability in Samsung MagicINFO 9 Server that could allow attackers to write arbitrary files with system authority.

4. CVE-2025-29635 (CVSS score: 7.5) - A command injection vulnerability in end-of-life D-Link DIR-823X series routers that enables authorized attackers to execute arbitrary commands via POST requests to /goform/set_prohibiting.

Context of Active Exploitation

While two of the SimpleHelp vulnerabilities are marked as "Unknown" in ransomware campaign indicators, security researchers have documented their exploitation as precursors to ransomware attacks. Field Effect and Sophos reported last year that these flaws were being exploited by the DragonForce ransomware operation.

"The exploitation of SimpleHelp vulnerabilities represents a concerning trend where attackers target IT management software as an entry point for lateral movement and privilege escalation," noted Maria Sanchez, senior security researcher at Field Effect. "Organizations using such remote access tools need to be particularly vigilant about patching and monitoring for suspicious activity."

The Samsung MagicINFO vulnerability (CVE-2024-7399) has been linked to Mirai botnet deployments in the past, while the D-Link flaw (CVE-2025-29635) is being exploited to deliver a Mirai botnet variant named "tuxnokill," according to recent disclosures from Akamai security researchers.

Federal Compliance Requirements

For Federal Civilian Executive Branch (FCEB) agencies, CISA has issued specific mitigation requirements:

• Apply available patches for SimpleHelp and Samsung MagicINFO vulnerabilities
• Discontinue use of affected D-Link DIR-823X routers by May 8, 2026
• Implement compensating controls where patches are not immediately available

"The May 2026 deadline for D-Link devices reflects the reality that some legacy hardware reaches end-of-life without security support," explained Dr. James Wilson, CISA's director of vulnerability management. "Agencies must develop hardware replacement plans well in advance of such deadlines to avoid service disruptions."

Broader Implications for Organizations

Beyond federal agencies, these KEV additions carry important implications for all organizations:

1. Supply Chain Security: The inclusion of SimpleHelp vulnerabilities highlights risks in third-party remote access tools. Organizations should evaluate their supply chain security posture.

2. IoT Security: The D-Link router vulnerability underscores the persistent challenges in securing IoT devices, particularly those that have reached end-of-life.

3. Attack Surface Expansion: The Samsung MagicINFO vulnerability demonstrates how digital signage and display systems can become entry points for attackers.

Recommended Mitigation Strategies

For organizations affected by these vulnerabilities:

1. Prioritize Patching: Address the highest CVSS score vulnerabilities first, with CVE-2024-57726 (CVSS 9.9) being the immediate priority.

2. Network Segmentation: Isolate vulnerable systems, particularly SimpleHelp servers and Samsung MagicINFO installations, to limit potential lateral movement.

3. Compensating Controls: For unpatched vulnerabilities, implement network segmentation, access controls, and monitoring for suspicious activity.

4. Asset Inventory: Maintain accurate inventories of all devices, especially network infrastructure and IoT assets, to identify affected equipment before deadlines.

5. Vendor Communication: Engage with vendors for patch timelines and support options, particularly for end-of-life devices like the D-Link DIR-823X series.

The KEV catalog serves as a critical resource for organizations to prioritize remediation efforts based on real-world exploitation evidence. CISA maintains the KEV catalog with detailed information on each vulnerability and recommended actions.

As the threat landscape continues to evolve, organizations should establish regular vulnerability management processes that incorporate KEV prioritization while maintaining a comprehensive view of their security posture. The May 2026 deadline for federal agencies serves as a reminder that vulnerability remediation is not just a technical exercise but a critical component of national security infrastructure protection.