The US Cybersecurity and Infrastructure Security Agency (CISA) has added four vulnerabilities affecting remote support software, enterprise display management systems, and consumer-grade routers to its Known Exploited Vulnerabilities (KEV) catalog, indicating in-the-wild exploitation.
The updated list includes two SimpleHelp flaws: CVE-2024-57726 and CVE-2024-57728. The first vulnerability stems from a missing authorization check that allows low-privileged technician accounts to generate API keys with elevated permissions. The second one is a path traversal issue caused by improper validation of archive extraction paths. By uploading a crafted ZIP file exploiting a “zip slip” condition, an attacker with admin access can write arbitrary files anywhere on the filesystem, potentially leading to remote code execution under the SimpleHelp service account.
While CISA didn’t mark the SimpleHelp vulnerabilities as exploited by ransomware, previous reports said that they were used as initial access vectors in campaigns attributed to the DragonForce ransomware group.
The third flaw with confirmed exploitation is CVE-2024-7399, a path traversal vulnerability in Samsung MagicINFO 9 Server, which allows attackers to write arbitrary files with system-level privileges. It has previously been linked to campaigns deploying variants of the Mirai botnet malware strain used to ensnare devices into distributed denial-of-service (DDoS) attacks.
The fourth vulnerability (CVE-2025-29635) affects end-of-life D-Link DIR-823X routers. The issue is related to improper input sanitization in the /goform/set_prohibiting endpoint, where crafted POST requests can inject arbitrary system commands. The flaw was observed in attacks deploying a Mirai-based variant known as “tuxnokill.”