CISA Adds Four Exploited Flaws to KEV, Patch by May 8, 2026

The Cybersecurity and Infrastructure Security Agency on Friday added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog and set a May 8, 2026 deadline for federal civilian agencies to patch or remove affected systems.

CISA listed CVE-2024-57726 and CVE-2024-57728 in SimpleHelp, CVE-2024-7399 in Samsung MagicINFO 9 Server, and CVE-2025-29635 in D-Link’s DIR-823X series. The agency said there is evidence the flaws are being used in the wild.

CVE-2024-57726 carries a 9.9 CVSS score and is a missing authorization vulnerability that can let low-privilege technicians create API keys with excessive permissions and escalate to a server administrator role. CVE-2024-57728 has a 7.2 score and is a zip-slip path traversal that allows an administrator to upload a crafted ZIP that can place files anywhere on the server and lead to code execution as the SimpleHelp server user. CVE-2024-7399, scored 8.8, is a path traversal in Samsung MagicINFO 9 that can permit writing files with system-level authority. CVE-2025-29635, scored 7.5, is a command injection vulnerability in end-of-life D-Link DIR-823X routers that allows an authenticated attacker to run commands by sending a POST request to /goform/set_prohibiting.

Security firms reported last year that the SimpleHelp flaws were abused as a precursor to ransomware operations, with at least one campaign linked to the DragonForce ransomware group. Activity tied to the Samsung MagicINFO flaw has previously deployed Mirai botnet malware. Recent attempts against D-Link devices have aimed to deliver a Mirai variant known as “tuxnokill.” CISA said those findings indicate active exploitation of the listed vulnerabilities.

To reduce risk, CISA directed Federal Civilian Executive Branch agencies to apply vendor fixes for the listed flaws or, for the D-Link issue, discontinue use of the affected appliance by the May 8, 2026 deadline. The agency noted that inclusion in the KEV catalog establishes a prioritized mitigation timeline for government systems.

CISA uses the KEV catalog to track vulnerabilities with evidence of exploitation and to coordinate required actions for federal networks. Organizations that use the affected products are advised to follow vendor patch or removal guidance and to monitor network traffic and device logs for signs of compromise.