CISA adds four more flaws to KEV - SimpleHelp authorization bypass (CVSS 9.9), Samsung MagicINFO, and the D-Link DIR-823X bug already powering fresh Mirai botnets

CISA added four flaws to KEV on April 24 with a May 8 federal deadline. The headline is CVE-2024-57726 (CVSS 9.9), a missing authorization in SimpleHelp RMM that lets a low-privileged technician mint API keys above their role and escalate to server admin; companion CVE-2024-57728 (CVSS 7.2) chains a path traversal for RCE. SimpleHelp featured in DragonForce and Akira ransomware campaigns last year. CVE-2024-7399 (CVSS 8.8) is a Samsung MagicINFO 9 path traversal with a public PoC since 2024. The fourth, CVE-2025-29635, is the D-Link DIR-823X bug we covered last week.

Check

Inventory exposed instances of SimpleHelp, Samsung MagicINFO 9 Server, and any remaining D-Link DIR-823X routers. SimpleHelp is the priority - it sits inside the IT trust boundary.

Affected

SimpleHelp before 5.5.8 against CVE-2024-57726 and CVE-2024-57728 (chained to RCE as the SimpleHelp server user). Samsung MagicINFO 9 Server unpatched against CVE-2024-7399. D-Link DIR-823X firmware 240126 and 24082 against CVE-2025-29635 - the product line is discontinued and no vendor patch exists.

Fix

Upgrade SimpleHelp to 5.5.8+ and rotate every API key issued by every technician account, since unprivileged techs could have minted privileged keys during the vulnerable window. Audit SimpleHelp session logs for anomalies. Patch Samsung MagicINFO and remove its internet exposure. For D-Link DIR-823X, replace the hardware - there is no fix. Treat May 8 as your own deadline.