CybersecurityVulnerability Management

CISA Flags Four Exploited Vulnerabilities, Sets Federal Patch Deadline

Analyst 207||Source: TheHackerNews
Federal agency office with computer workstation, papers, and laptop, conveying urgency and remediation.

Federal Civilian Executive Branch (FCEB) agencies are recommended to apply fixes — or, in the case of one end-of-life router vulnerability, discontinue use of the appliance — by May 8, 2026, after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four actively exploited flaws to its Known Exploited Vulnerabilities (KEV) catalog.

The four vulnerabilities CISA added: CVE-2024-57726, CVE-2024-57728, CVE-2024-7399, CVE-2025-29635

CISA’s KEV update lists four specific flaws across three products. Two affect SimpleHelp: CVE-2024-57726 (CVSS 9.9), a missing-authorization bug that lets low-privileged technicians create API keys with excessive permissions and escalate to server-admin, and CVE-2024-57728 (CVSS 7.2), a zip-slip path traversal that allows admin users to upload files anywhere on the file system and potentially execute code as the SimpleHelp server user. A Samsung defect, CVE-2024-7399 (CVSS 8.8), is a path traversal in MagicINFO 9 Server that can let an attacker write arbitrary files as system authority. The fourth, CVE-2025-29635 (CVSS 7.5), is a command-injection flaw in end-of-life D-Link DIR-823X series routers that permits an authorized attacker to run arbitrary commands by posting to /goform/set_prohibiting.

Evidence of exploitation: ransomware links, Mirai activity, and recorded attempts

Although both SimpleHelp flaws are marked "Unknown" under the KEV indicator "Known To Be Used in Ransomware Campaigns?", the source cites reporting from Field Effect and Sophos that revealed exploitation early last year as a precursor to ransomware attacks; one such campaign was attributed to the DragonForce ransomware operation. Citing past malicious activity, exploitation of CVE-2024-7399 has been linked to deployments of the Mirai botnet. And, according to the advisory, Akamai disclosed earlier this week that it recorded attempts targeting D-Link devices to deliver a Mirai variant named "tuxnokill."

What this means for Federal Civilian Executive Branch agencies

CISA’s inclusion of these flaws on the KEV catalog carries an operational instruction for FCEB agencies: apply available fixes for the affected products, and in the case of the D-Link DIR-823X vulnerability (CVE-2025-29635), discontinue use of the appliance by May 8, 2026. The advisory couples evidence of active exploitation with a targeted mitigation deadline, placing a clear, time-bound obligation on agencies to reconcile legacy equipment and vulnerable server software before that date.

How technologists, procurement leaders, and defenders should respond

  • Technologists and security teams — prioritize patching or compensating controls for SimpleHelp and Samsung MagicINFO 9 Server installations, mindful that the SimpleHelp issues include both privilege-escalation and code-execution vectors.
  • Procurement and asset managers — identify end-of-life D-Link DIR-823X routers in inventories and plan for their removal or replacement, since the advisory specifically recommends discontinuing use of that appliance by May 8, 2026.
  • Network defenders — monitor for Mirai-style activity and tactics tied to the known exploits; the advisory links CVE-2024-7399 and D-Link exploitation attempts to Mirai botnet deployments and a Mirai variant named "tuxnokill."

Timeline and immediate mitigation emphasis

CISA’s action is both categorical — adding these bugs to KEV because of active exploitation evidence — and temporal: the May 8, 2026 recommendation compresses time for remediation, especially for organizations that must locate legacy devices or apply vendor patches. For the D-Link DIR-823X series, the agency’s guidance goes beyond patching to recommend discontinuation of the device, reflecting both the vulnerability’s nature and the product’s end-of-life status as presented in the advisory.

The addition of four specific CVEs to the KEV list, coupled with named ties to DragonForce, Mirai, and the "tuxnokill" variant, leaves a straightforward but urgent question: will agencies and organizations with these products in place meet the May 8, 2026 window to apply fixes or remove affected equipment?

Source: The Hacker News — CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline

CisaEmerging ThreatsFederal AgenciesVulnerability ManagementExploited VulnerabilitiesKnown Exploited VulnerabilitiesCVE-2025-29635CVE-2024-57726CVE-2024-57728CVE-2024-7399Patch Deadline
Related Intelligence

Continue Reading

Researchers working on a laptop in a clean-room setting surrounded by diagrams and notes.

Researchers Expose Lethal Flaw in AI Model Security

Researchers have uncovered a shocking vulnerability in AI model security, revealing that a simple formatting trick used to separate system instructions from user requests has become a critical weakness. This flaw, known as role confusion, threatens the very foundation of modern AI systems.

Analyst 207
Dimly lit computer laboratory with scattered technology equipment.

Anonymous Researcher Exploits 15 Software Products with Zero-Day Code Dump

A security bombshell has been dropped: an anonymous researcher has publicly shared exploit code for zero-day vulnerabilities in 15 software products, and hackers are already taking advantage of at least two of them. The alarming revelation has sent shockwaves through the cybersecurity community.

Analyst 207
Cybersecurity professional examines laptop in secure server room.

Quantum Deadline Looms: CISOs Face Post-Quantum Readiness Mandate

The clock is ticking: by December 31, 2030, federal high-value systems must adopt post-quantum cryptography for key establishment, and by December 31, 2031, for digital signatures too. Are your systems ready to beat the quantum deadline?

Analyst 207
Server room with rows of computer servers and IT staff in the background.

Microsoft Extends Windows Server 2022 Hotpatching Support Until 2027

Microsoft just gave you an extra year of uninterrupted protection, extending hotpatching support for Windows Server 2022 through October 2027 - so you can keep your systems secure and running smoothly without the hassle of reboots. Devices already enrolled will continue to receive monthly security updates with zero downtime.

Analyst 207