# CISA Adds Four Critical Exploited Vulnerabilities to Patch Mandates


The Cybersecurity and Infrastructure Security Agency (CISA) has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, marking them as actively exploited in the wild. The additions underscore the persistent risk of unpatched software in enterprise environments and serve as a urgent reminder to organizations of all sizes that these flaws demand immediate remediation.


## The Threat


The four newly cataloged vulnerabilities represent attack patterns that are already being weaponized by malicious actors. Path traversal flaws allow attackers to access files and directories outside intended boundaries—a foundational technique for lateral movement and data exfiltration. Missing authorization controls remove the last line of defense between attackers and sensitive functions. Command injection vulnerabilities grant direct code execution on target systems. Each of these patterns has proven dangerously effective in real-world campaigns, which is why CISA's decision to add them to the KEV Catalog signals a clear and present danger.


The Known Exploited Vulnerabilities Catalog itself is a living list of CVEs that meet criteria for active exploitation and pose significant risks to the federal enterprise and broader critical infrastructure. CISA originally established the KEV Catalog through Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, which requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by a mandatory due date. While BOD 22-01 only applies to federal agencies, CISA explicitly urges all organizations—private sector, state/local government, and critical infrastructure operators—to treat KEV additions as high-priority remediation targets.


These four new entries represent a snapshot of an ongoing threat landscape where attackers routinely identify and exploit patched vulnerabilities before organizations can deploy fixes. The speed of exploitation has accelerated dramatically over the past five years, collapsing the window between public disclosure and active weaponization from weeks to days, or even hours.


## Severity and Impact


| CVE | Product | Vulnerability Type | CVSS Score | Attack Vector | Complexity | Auth Required |

|-----|---------|-------------------|------------|----------------|-----------|---------------|

| CVE-2024-7399 | Samsung MagicINFO 9 | Path Traversal | 7.5 | Network | Low | None |

| CVE-2024-57726 | SimpleHelp | Missing Authorization | 8.2 | Network | Low | None |

| CVE-2024-57728 | SimpleHelp | Path Traversal | 7.3 | Network | Low | None |

| CVE-2025-29635 | D-Link DIR-823X | Command Injection | 9.8 | Network | Low | None |


All four vulnerabilities share critical characteristics: they are network-accessible, require minimal complexity to exploit, and in most cases demand no authentication. The D-Link command injection vulnerability carries the highest severity rating, enabling unauthenticated remote code execution on consumer and small-business routers—devices that often operate with default credentials and limited visibility from IT teams.


## Affected Products


Samsung MagicINFO

  • Samsung MagicINFO 9 Server and earlier versions

    • SimpleHelp

  • SimpleHelp remote support platform (all affected versions subject to advisory)

    • D-Link

  • D-Link DIR-823X router series and related directional variants

    • ## Mitigations


    Organizations should treat these vulnerabilities as critical priority in their vulnerability management workflows:


    Immediate Actions:

  • Inventory all instances of affected products across your network, including development, test, and backup systems
  • Prioritize Samsung MagicINFO servers and D-Link routers for patching within 72 hours
  • SimpleHelp installations should be evaluated for internet exposure and network segmentation

    • Vendor Patching:

  • Samsung: Deploy the latest MagicINFO 9 patch from Samsung's security advisory portal
  • SimpleHelp: Update to the latest version released in response to KEV additions
  • D-Link: Obtain and deploy the latest firmware for DIR-823X models from D-Link's support site

    • Compensating Controls (if patching is delayed):

  • Isolate affected devices on a dedicated VLAN with restricted outbound access
  • Implement network-level access controls limiting inbound connections to these systems
  • Deploy intrusion detection signatures monitoring for exploitation attempts
  • Require multi-factor authentication on management interfaces where possible
  • Monitor logs for suspicious file access or command execution patterns

    • Network-Level Protections:

  • Disable port forwarding for remote support tools unless absolutely required
  • Use VPN or jump hosts to access administrative interfaces
  • Disable default credentials immediately if any are detected

    • ## References


  • [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
  • [Binding Operational Directive 22-01](https://www.cisa.gov/binding-operational-directive-22-01)
  • [Samsung MagicINFO Security Advisory](https://www.samsung.com/business/security/alerts/)
  • [SimpleHelp Security Bulletin](https://simple-help.com/support)
  • [D-Link DIR-823X Support and Updates](https://support.dlink.com/)

    • Bottom Line: Federal agencies and the broader cybersecurity community must treat CISA's KEV additions with the urgency they deserve. Organizations that have deployed these products should begin remediation immediately. For those managing consumer routers like the D-Link DIR-823X in corporate networks, the command injection vulnerability represents a critical gateway for attackers—prioritize firmware updates and network isolation. The combination of active exploitation, network accessibility, and minimal complexity makes these four vulnerabilities an immediate threat to any environment where they exist.