Live Latest activity →
Critical Vulnerability

CISA adds 4 exploited flaws, May 2026 deadline set

By

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added four vulnerabilities impacting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers to its Known

What Happened

On Friday, CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including a critical flaw in D-Link DIR-823X series routers, alongside issues affecting SimpleHelp and Samsung MagicINFO 9 Server. Federal civilian agencies are required to remediate these vulnerabilities by May 2026 under Binding Operational Directive (BOD) 22-01. The addition signals active exploitation in the wild and elevates risk for any organization using these products.

CVE-2024-57726 affects D-Link DIR-823X routers and has been observed in targeted attacks. While CISA has not released specific attack details, the vulnerability likely allows remote attackers to execute arbitrary code or cause denial of service on affected devices. D-Link has not issued a patch for this model, as it has reached end-of-life (EOL) status.

Why It Matters

This KEV addition represents a significant operational risk for three reasons. First, the D-Link DIR-823X is widely deployed in small office and home office (SOHO) environments, where patching discipline is notoriously poor. Second, the product is EOL, meaning no official fix exists - organizations must either isolate or replace these devices. Third, the inclusion of SimpleHelp and Samsung MagicINFO 9 Server indicates that attackers are targeting a diverse set of networking, remote support, and digital signage platforms, expanding the attack surface for enterprises.

For federal agencies, the May 2026 deadline is a hard enforcement point. Non-compliance can lead to audit findings and potential operational restrictions. For private sector organizations, this should serve as a trigger for immediate asset inventory and risk assessment.

Technical Details

CVE-2024-57726 is an unauthenticated remote code execution (RCE) vulnerability in the D-Link DIR-823X series routers. The flaw resides in the device’s web management interface, which by default listens on TCP ports 80 and 443. Attackers can exploit the vulnerability without credentials by sending specially crafted HTTP requests. No authentication is required, and exploitation complexity is low.

The D-Link DIR-823X is a dual-band AC1200 router commonly found in home and small business networks. The device has been EOL for several years, and D-Link has confirmed it will not release a firmware update. The product is also vulnerable to other known issues, including a buffer overflow vulnerability (CVE-2026-4529) and additional unpatched flaws (CVE-2026-2962, CVE-2026-2959).

The other three KEV additions include:

  • SimpleHelp remote support software - likely exploited for initial access in ransomware campaigns.
  • Samsung MagicINFO 9 Server - a digital signage management platform, targeted for lateral movement in connected environments.

Immediate Risk

The immediate risk is critical for any organization using D-Link DIR-823X routers. Since no patch exists, these devices are a permanent backdoor into networks. Attackers can execute arbitrary code to establish persistence, pivot to internal systems, or use the router as a C2 relay. For SimpleHelp and MagicINFO users, the risk is elevated but patchable - organizations should prioritize applying vendor-supplied updates.

CISA has confirmed all four flaws are being actively exploited. Given the low complexity of the D-Link bug, widespread scanning and exploitation are likely. Organizations should assume compromise if DIR-823X devices are still on their network.

Security Insight

The recurring pattern of EOL devices being added to KEV (D-Link joins a long list including Cisco, Netgear, and Zyxel) exposes a fundamental gap in how organizations manage IT lifecycles. The lesson is not just to patch, but to actively decommission and replace devices as they approach end-of-life. Many organizations keep old routers as backup hardware or for secondary networks - these are precisely the devices being targeted. A formal asset retirement policy, integrated with vulnerability management, is the only way to prevent these “zombie devices” from becoming attack vectors.

Further Reading

Share:

Never miss a security update

Get real-time security alerts delivered to your preferred platform.

Telegram LinkedIn Mastodon Bluesky

Related News

Critical Apr 26
Weekly Threat Roundup: 2026-04-20 to 2026-04-26

Cybersecurity roundup for 2026-04-20 to 2026-04-26. 10 CVE advisories, 2 breach reports, 5 threat news stories.
Critical Jun 10
CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitati
Medium Jun 10
CISA Issues New Directive Improving How Federal Agencies Prioritize the Mitigation of Cyber Vulnerabilities

Critical Jun 9
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now

Google has released security updates to address 74 vulnerabilities, including one that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.