CISA KEV Update: SimpleHelp Auth Bypass and Router Risks
Just caught the CISA KEV update from Friday. They added four vulnerabilities, including a critical one in SimpleHelp (CVE-2024-57726) scoring a 9.9. It's a missing authorization vulnerability, which is bad news considering SimpleHelp is used for remote support and system management. If attackers get in here, they basically have the keys to the kingdom.
They also flagged issues in Samsung MagicINFO 9 Server and D-Link DIR-823X series routers. While federal agencies have until May 2026 to patch, we know active exploitation doesn't wait for bureaucratic deadlines.
If you have any D-Link gear, you might want to check if it's exposed. A quick Shodan query can reveal if these devices are listening to the world:
http http.title:"DIR-823X" product:"D-Link"
For the SimpleHelp vulnerability, ensure your remote support instances are updated immediately. We are currently hunting for the specific version strings in our asset inventory to identify exposure.
Is anyone else seeing scans targeting these specific D-Link models or remote support tools in their logs yet, or is the exploitation still highly targeted?
We've seen a noticeable uptick in probes against port 8080 and 443 on our edge firewalls over the weekend, likely looking for that D-Link vulnerability. Legacy routers are the bane of my existence as an MSP; convincing clients to replace 'working' hardware is harder than patching the servers.
For anyone running SimpleHelp, you can check the version via the CLI to confirm if you are vulnerable. On Windows, you can run:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*SimpleHelp*"} | Select-Object Name, Version
We found two instances in our environment that were several versions behind. Patching is straightforward, but discovery is the hard part.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access