The United States cybersecurity and Infrastructure Security Agency (CISA) has added four security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming evidence that threat actors are actively exploiting them in the wild. The vulnerabilities affect SimpleHelp remote support software, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers.

Alongside the catalog update, CISA issued a binding operational directive requiring all Federal Civilian Executive Branch (FCEB) agencies to remediate the flaws by May 19, 2026. This directive enforces mandatory patching timelines to close attack vectors currently being leveraged by malicious actors.

Vulnerabilities Added to the KEV catalog

The four vulnerabilities cover a range of severity and exploitability. The most critical issue, tracked as CVE-2024-57726, carries a CVSS score of 9.9 out of 10. This vulnerability involves a missing authorization flaw in SimpleHelp, a remote access and support tool commonly used by managed service providers and enterprise IT teams. The weakness could allow an unauthenticated attacker to bypass access controls and potentially gain elevated privileges on affected systems.

A second SimpleHelp vulnerability, CVE-2024-57727, also relates to authorization bypass. While the exact technical details remain partially undisclosed, CISA stated that active exploitation incidents have been observed, prompting the urgent inclusion in the KEV list.

For Samsung MagicINFO 9 Server, CISA added CVE-2024-49415. This flaw exists in the server software that manages digital signage displays. Successful exploitation could permit an attacker to execute arbitrary code or escalate privileges within the server environment. MagicINFO is widely deployed in corporate, retail, and hospitality settings for content management on large video walls and information screens.

The fourth vulnerability, CVE-2024-45609, affects D-Link DIR-823X series routers. These devices, primarily used in small office and home office networks, contain a command injection flaw. An unauthenticated attacker could exploit this vulnerability remotely to execute operating system commands, potentially compromising the router and enabling lateral movement within the network.

Implications for Federal Agencies and Private Sector

CISA’s KEV catalog serves as a prioritized list of vulnerabilities that known threat actors are actively exploiting. Federal agencies must apply patches, implement mitigations, or discontinue use of affected products by the specified deadline of May 19, 2026. Failure to comply could result in security breaches and regulatory noncompliance.

While the directive directly binds only federal civilian agencies, CISA and cybersecurity professionals strongly recommend that state and local governments, critical infrastructure operators, and private organizations apply the same remediation steps. Attackers often exploit these vulnerabilities indiscriminately, targeting any accessible system regardless of sector.

The CVSS score of 9.9 for CVE-2024-57726 underscores the severity of the SimpleHelp flaw. Scores in this range indicate near-critical risk, with minimal attack complexity and no user interaction required. Organizations using SimpleHelp should prioritize updating to the latest patched version immediately.

For D-Link DIR-823X series routers, the command injection vulnerability is particularly concerning because routers serve as the gateway for most network traffic. Compromised routers can allow attackers to intercept data, redirect traffic to malicious sites, or use the device as a pivot point for deeper network intrusions.

Background on the KEV Catalog

Established under Binding Operational Directive (BOD) 22-01, the KEV catalog is a central repository of vulnerabilities that CISA assesses to be actively exploited. The agency requires all FCEB agencies to remediate listed vulnerabilities within specified timeframes, typically ranging from two weeks to several months depending on severity and available patches.

CISA continuously updates the catalog based on threat intelligence, incident response findings, and reports from trusted partners. The addition of these four flaws reflects ongoing monitoring of real-world attack campaigns targeting widely deployed software and hardware.

Next Steps for Organizations

Organizations are advised to review their asset inventories for SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers. For each affected product, administrators should apply the vendor-supplied security updates or follow manufacturer guidance for mitigation. If patches are unavailable or cannot be applied within the required timeline, disconnecting the affected devices from the network is a recommended precaution.

CISA encourages all organizations to report any observed exploitation attempts or related suspicious activity to the agency through official channels. The deadline of May 2026 provides a clear window for remediation but should not delay immediate action given the active exploitation status.

Source: GeekWire