Back to Intelligence

CISA KEV Alert: Active Exploitation of Samsung MagicINFO, SimpleHelp, and D-Link Flaws

SA
Security Arsenal Team
April 24, 2026
7 min read

CISA has added four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, signaling that threat actors are actively leveraging these flaws in the wild. Under Binding Operational Directive (BOD) 22-01, federal agencies are required to patch these issues by the specified deadlines, but private sector organizations should treat these alerts with equal urgency. The addition of Samsung MagicINFO, SimpleHelp, and D-Link vulnerabilities underscores a aggressive trend toward exploiting edge devices, remote support tools, and digital signage servers for initial access and lateral movement.

Introduction

Defenders are currently facing a surge in exploitation targeting internet-facing infrastructure. The four vulnerabilities added to the KEV catalog today—CVE-2024-7399, CVE-2024-57726, CVE-2024-57728, and CVE-2025-29635—span disparate platforms but share a common outcome: unauthorized remote access. From digital signage servers to remote support software and SOHO routers, these vectors provide attackers with a foothold to deploy ransomware or conduct espionage. Immediate identification and patching of these specific assets is non-negotiable for maintaining security posture.

Technical Analysis

1. CVE-2024-7399: Samsung MagicINFO 9 Path Traversal

  • Affected Product: Samsung MagicINFO Server 9 (used for digital signage).
  • Vulnerability Type: Path Traversal (CWE-22).
  • Mechanism: This flaw allows an unauthenticated attacker to read arbitrary files on the server via specially crafted HTTP requests. By leveraging directory traversal sequences (e.g., ../), attackers can access sensitive configuration files, credentials, or application source code.
  • Risk: Credential theft leading to full server compromise and pivot into the internal network.
  • Status: Confirmed Active Exploitation in the wild.

2. CVE-2024-57726 & CVE-2024-57728: SimpleHelp Remote Support

  • Affected Product: SimpleHelp (Remote Support and Remote Access software).
  • Vulnerabilities: Missing Authorization (57726) and Path Traversal (57728).
  • Mechanism:
    • Missing Authorization: Specific API endpoints fail to verify user permissions, allowing unauthenticated access to administrative functions.
    • Path Traversal: Similar to the Samsung flaw, this allows reading files outside the web root.
  • Risk: Remote support tools are high-value targets. Exploitation allows attackers to bypass the intended "support" channel to gain persistent, unauthorized remote control of endpoints without user interaction.
  • Status: Confirmed Active Exploitation in the wild.

3. CVE-2025-29635: D-Link DIR-823X Command Injection

  • Affected Product: D-Link DIR-823X Wireless Router.
  • Vulnerability Type: OS Command Injection (CWE-78).
  • Mechanism: The vulnerability exists in the web interface's handling of specific CGI parameters. An attacker can inject arbitrary operating system commands by sending malicious input to these endpoints.
  • Risk: Full device compromise. Attackers can modify DNS settings (phishing/sniffing), convert the router into a botnet node, or tunnel traffic into the internal network.
  • Status: Confirmed Active Exploitation in the wild.

Detection & Response

The following detection logic focuses on identifying the exploitation behaviors associated with these CVEs. Since MagicINFO and SimpleHelp are web-based, we monitor for Path Traversal patterns. The D-Link flaw requires monitoring for Command Injection syntax in web requests. SimpleHelp exploitation is identified by the parent process spawning unauthorized shells.

YAML
---
title: Potential Path Traversal Exploitation Attempt
id: c4331c88-1b4d-4b5c-9c8d-1d2f3b4c5d6e
status: experimental
description: Detects potential path traversal attempts characteristic of CVE-2024-7399 and CVE-2024-57728 usage in URI strings.
references:
  - https://www.cisa.gov/news-events/alerts/2026/04/24/cisa-adds-four-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/24
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: webserver
  product: null
detection:
  selection:
    c|contains:
      - '../'
      - '..%2f'
      - '..%5c'
      - '%252e'
  condition: selection
falsepositives:
  - Scanning activity from authorized penetration testing
  - Misconfigured web clients
level: high
---
title: Web Request Command Injection via Shell Metacharacters
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects potential command injection in web requests indicative of CVE-2025-29635 (D-Link DIR-823X) exploitation.
references:
  - https://www.cisa.gov/news-events/alerts/2026/04/24/cisa-adds-four-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/24
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2025.29635
logsource:
  category: webserver
  product: null
detection:
  selection:
    c|contains:
      - '| '
      - '&& '
      - '; '
      - '`'
      - '$('
  filter_main_generic:
    cs-uri-query|contains:
      - 'favicon'
      - '.css'
      - '.js'
  condition: selection and not filter_main_generic
falsepositives:
  - Web application development testing
level: high
---
title: SimpleHelp Remote Support Spawning Shell
id: e5f6g7h8-i9j0-4k1l-m2n3-o4p5q6r7s8t9
status: experimental
description: Detects SimpleHelp support tool processes spawning cmd.exe or powershell.exe, potentially indicating exploitation of CVE-2024-57726.
references:
  - https://www.cisa.gov/news-events/alerts/2026/04/24/cisa-adds-four-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/24
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains:
      - '\SimpleHelp.exe'
      - '\SimpleSupport.Service.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate administrator using SimpleHelp to run diagnostics
level: medium


**KQL (Microsoft Sentinel / Defender)**

Hunting for path traversal and command injection patterns in web logs and proxy data.

KQL — Microsoft Sentinel / Defender
// Hunt for Path Traversal and Command Injection in Web Logs
let SuspiciousPatterns = dynamic(['../', '..%2f', '..%5c', '| ', '&& ', '; ', '`', '$(']);
DeviceNetworkEvents
| where ActionType in ('ConnectionSuccess', 'InboundConnectionAccepted')
| where RemoteUrl has_any(SuspiciousPatterns) or RequestFields has_any(SuspiciousPatterns)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RequestFields, RemoteIP
| order by Timestamp desc


**Velociraptor VQL**

Hunt endpoint for SimpleHelp installations and suspicious parent-child process relationships.

VQL — Velociraptor
-- Hunt for SimpleHelp service binaries and check for suspicious child processes
SELECT Pid, Name, CommandLine, Exe, ParentPid
FROM pslist()
WHERE Name =~ 'SimpleHelp'
   OR Name =~ 'SimpleSupport.Service'
-- Chain lookup to see if these parents spawned cmd or powershell
LET SuspiciousChildren = SELECT Pid, Name, CommandLine, Exe, Parent.Pid AS ParentPid
FROM pslist()
WHERE Name =~ 'cmd.exe' OR Name =~ 'powershell.exe'
SELECT Parent.Name AS ParentProcess, Children.Name AS ChildProcess, Children.CommandLine
FROM pslist() AS Parent
LEFT JOIN SuspiciousChildren AS Children ON Parent.Pid = Children.ParentPid
WHERE Parent.Name =~ 'SimpleHelp'


**Remediation Script (PowerShell)**

Audit Windows systems for the presence of the vulnerable SimpleHelp software to ensure it is updated or removed if unauthorized.

PowerShell
# Audit for SimpleHelp Installation
Write-Host "Checking for SimpleHelp installations..."

# Check Common Paths
$paths = @(
    "${env:ProgramFiles}\SimpleHelp",
    "${env:ProgramFiles(x86)}\SimpleHelp",
    "${env:ProgramData}\SimpleHelp"
)

$vulnerableFound = $false

foreach ($path in $paths) {
    if (Test-Path $path) {
        Write-Host "[!] SimpleHelp found at: $path" -ForegroundColor Yellow
        $vulnerableFound = $true
        # Attempt to get version info from the main executable if it exists
        $exePath = Get-ChildItem -Path $path -Recurse -Filter "*.exe" | Select-Object -First 1
        if ($exePath) {
            try {
                $versionInfo = (Get-Item $exePath.FullName).VersionInfo
                Write-Host "    File: $($exePath.Name)"
                Write-Host "    Version: $($versionInfo.FileVersion)"
            } catch {
                Write-Host "    Could not retrieve version information."
            }
        }
    }
}

# Check for Running Services
$service = Get-Service | Where-Object { $_.Name -like "*SimpleHelp*" -or $_.DisplayName -like "*SimpleHelp*" }
if ($service) {
    Write-Host "[!] SimpleHelp Service Running: $($service.DisplayName)" -ForegroundColor Yellow
    Write-Host "    Status: $($service.Status)"
    Write-Host "    StartType: $($service.StartType)"
    $vulnerableFound = $true
}

if (-not $vulnerableFound) {
    Write-Host "No SimpleHelp installations detected." -ForegroundColor Green
} else {
    Write-Host "ACTION REQUIRED: If this software is not authorized for support, remove it. If authorized, update to the latest version immediately to patch CVE-2024-57726 and CVE-2024-57728." -ForegroundColor Red
}

Remediation

1. Samsung MagicINFO 9 (CVE-2024-7399)

  • Action: Update to the latest security patch released by Samsung.
  • Vendor Advisory: Refer to the Samsung Security Advisory for MagicINFO 9. Ensure the build number is post-patch release.
  • Configuration: If patching is delayed, restrict access to the MagicINFO server web interface to specific management IP subnets via firewall ACLs.

2. SimpleHelp (CVE-2024-57726, CVE-2024-57728)

  • Action: Update SimpleHelp to the latest version immediately. The vendor has released patches addressing both the missing authorization and path traversal flaws.
  • Network Segmentation: Ensure SimpleHelp servers are not directly exposed to the public internet unless absolutely necessary. Require VPN or Zero Trust Network Access (ZTNA) for support staff.

3. D-Link DIR-823X (CVE-2025-29635)

  • Action: Update the router firmware to the latest version available on the D-Link support website.
  • Mitigation: Disable Remote Management (WAN access to the web interface) on the router settings. This device is End-of-Life (EOL) for many models; consider replacing it with a supported enterprise-grade router.

4. CISA Deadlines Per BOD 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by the deadline specified in the KEV catalog entry. Private organizations should follow suit immediately to prevent becoming the next victim of active exploitation.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment Vulnerability Management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurecisa-kevsamsung-magicinfosimplehelp

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action