CISA Adds Samsung, SimpleHelp, D-Link Flaws to Must-Patch List

CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on April 24, 2026, citing evidence of active exploitation in the wild. The additions target Samsung digital signage systems, SimpleHelp remote support software, and D-Link consumer routers—a diverse set reflecting attackers' opportunistic approach to vulnerability exploitation.

Federal agencies must patch or mitigate these vulnerabilities by May 8, 2026, under Binding Operational Directive 22-01. Private organizations should treat KEV additions as indicators that exploitation is already happening and prioritize accordingly.

The Four Vulnerabilities

Samsung MagicINFO 9 Server Path Traversal

Samsung's MagicINFO digital signage management platform contains a path traversal vulnerability that allows attackers to access files outside intended directories. MagicINFO servers manage content across digital displays in retail, hospitality, and corporate environments—compromising them can expose internal networks or enable content manipulation.

This marks the third time in 12 months that Samsung MagicINFO has appeared in CISA's KEV catalog, suggesting organizations are struggling to keep the platform patched or that the attack surface remains attractive to threat actors.

SimpleHelp Missing Authorization (CVE-2024-57726)

Two SimpleHelp vulnerabilities made the list, including CVE-2024-57726, a missing authorization flaw that allows low-privileged technicians to create API keys with elevated permissions. Attackers can leverage these overprivileged keys to escalate to server admin roles.

SimpleHelp's presence in managed service provider (MSP) environments makes it particularly valuable to attackers. Compromising a SimpleHelp deployment can provide access to multiple downstream customer environments—a pattern we've seen exploited in ransomware campaigns targeting MSPs earlier this year.

SimpleHelp Remote Code Execution

A second SimpleHelp vulnerability enables remote code execution on affected servers. Combined with the authorization bypass, these two flaws give attackers a complete compromise chain: escalate privileges, then execute arbitrary code.

D-Link DIR-823X Command Injection

D-Link's DIR-823X router series contains a command injection weakness that allows attackers to execute arbitrary system commands. Consumer routers have limited security telemetry, making them attractive for botnet recruitment and as pivot points into home and small business networks.

D-Link routers have been frequent targets. The company faced similar command injection issues in its DIR-823G and other models that were incorporated into Mirai botnet variants just last week.

Why These Were Added

CISA adds vulnerabilities to KEV based on confirmed exploitation, not just severity scores. The presence of Samsung, SimpleHelp, and D-Link flaws in the same update reflects the breadth of active campaigns—attackers are simultaneously targeting enterprise signage systems, MSP infrastructure, and consumer networking equipment.

The SimpleHelp additions are particularly concerning given the platform's role in remote support workflows. When CISA added eight Cisco SD-WAN vulnerabilities earlier this month, the agency highlighted how network management platforms provide attackers with privileged positions in victim environments. SimpleHelp serves a similar function.

What Makes KEV Different

The Known Exploited Vulnerabilities catalog isn't a comprehensive list of all CVEs. CISA specifically tracks vulnerabilities with confirmed exploitation, making it a practical prioritization tool. If a vulnerability appears in KEV, someone is actively using it in attacks.

For security teams drowning in CVE volume, KEV provides signal through the noise. The April 24 additions bring the catalog to over 1,200 entries—each representing a vulnerability that moved from theoretical risk to demonstrated threat.

Remediation Guidance

Samsung MagicINFO:

• Apply the latest firmware update from Samsung's security portal
• Restrict network access to MagicINFO management interfaces
• Audit content management logs for unauthorized access

SimpleHelp:

• Upgrade to SimpleHelp version 5.5.8 or later
• Review technician account permissions and API key assignments
• Monitor for unusual privilege escalation patterns
• Consider network segmentation between SimpleHelp servers and managed endpoints

D-Link DIR-823X:

• Check D-Link's support page for firmware updates
• If no patch is available, consider replacing end-of-life hardware
• Disable remote management features if not required
• Implement network segmentation to limit router compromise impact

Federal Deadline

Federal Civilian Executive Branch agencies must remediate these vulnerabilities by May 8, 2026. For organizations outside the federal mandate, the exploitation evidence behind KEV additions makes them worth treating as urgent regardless of compliance requirements.

The full catalog is available at CISA's KEV page, which provides sortable and filterable access to all tracked vulnerabilities.