Changeflow GovPing Data Privacy & Cybersecurity CISA Adds Four Known Exploited Vulnerabilities ...
Priority review Notice Added Final

CISA Adds Four Known Exploited Vulnerabilities to Catalog

Favicon for www.cisa.gov CISA Cybersecurity Advisories
Published
Detected
Email

Summary

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The added entries are CVE-2024-7399 (Samsung MagicINFO 9 Server Path Traversal), CVE-2024-57726 (SimpleHelp Missing Authorization), CVE-2024-57728 (SimpleHelp Path Traversal), and CVE-2025-29635 (D-Link DIR-823X Command Injection). BOD 22-01 establishes the KEV Catalog as a living list of CVEs that carry significant risk to the federal enterprise and requires FCEB agencies to remediate identified vulnerabilities by the due date.

Why this matters

Organizations running Samsung MagicINFO 9 Server, SimpleHelp remote access software, or D-Link DIR-823X devices should treat remediation of these four CVEs as a near-term priority regardless of whether they are subject to BOD 22-01 — CISA has confirmed active exploitation for each entry. The specific vulnerability types (command injection, path traversal, missing authorization) are common pre-cursor attack patterns for ransomware and lateral movement, making them higher-risk even in environments where the affected products are not internet-facing.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by CISA on cisa.gov . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors CISA Cybersecurity Advisories for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 11 changes logged to date.

View original document View source feed page

What changed

CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog by adding four new CVEs with confirmed active exploitation: CVE-2024-7399 affecting Samsung MagicINFO 9 Server, CVE-2024-57726 and CVE-2024-57728 affecting SimpleHelp, and CVE-2025-29635 affecting D-Link DIR-823X devices. The KEV Catalog was established by Binding Operational Directive (BOD) 22-01 as a living list of CVEs posing significant risk to the federal enterprise.

FCEB agencies are subject to mandatory remediation requirements under BOD 22-01 and must address these newly catalogued vulnerabilities by the specified due date. CISA strongly urges all organizations beyond the federal civilian executive branch to treat timely remediation of these KEV entries as a priority within their vulnerability management programs, given that path traversal, command injection, and authorization vulnerabilities are frequent attack vectors for malicious cyber actors.

Archived snapshot

Apr 24, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Alert

CISA Adds Four Known Exploited Vulnerabilities to Catalog

Release Date

April 24, 2026

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  • CVE-2024-7399 Samsung MagicINFO 9 Server Path Traversal Vulnerability
  • CVE-2024-57726 SimpleHelp Missing Authorization Vulnerability
  • CVE-2024-57728 SimpleHelp Path Traversal Vulnerability
  • CVE-2025-29635 D-Link DIR-823X Command Injection Vulnerability These types of vulnerabilities are frequent attack vector s for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts

We recently updated our anonymous product survey; we welcome your feedback.

Named provisions

Known Exploited Vulnerabilities Catalog Reducing the Significant Risk of Known Exploited Vulnerabilities

Mentioned entities

Cybersecurity and Infrastructure Security Agency

Related changes

Favicon for www.cisa.gov CISA Adds Five Known Exploited Vulnerabilities to Catalog
Priority review Mar 20, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA Adds CVE-2009-0238 and CVE-2026-32201 to Known Exploited Vulnerabilities Catalog
Priority review Apr 15, 2026 CISA Cybersecurity Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA Adds Microsoft Defender CVE-2026-33825 to Known Exploited Vulnerabilities Catalog
Priority review Apr 23, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity

Get daily alerts for CISA Cybersecurity Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cisa.gov
CISA Cybersecurity Advisories cisa.gov/cybersecurity-advisories/all.xml
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CISA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CISA
Published
April 24th, 2026
Instrument
Notice
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Government agencies Technology companies
Industry sector
5112 Software & Technology
Activity scope
Vulnerability remediation Cybersecurity threat response Catalog updates
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Information Technology National Security

Browse Categories

Agriculture & Food Safety 84 AI Regulation 3 Banking & Finance 499 Consumer Protection 141 Courts & Legal 635 Data Privacy & Cybersecurity 150 Defense & National Security 52 Education 64 Energy 138 Environment 170 Gaming 2 Government & Legislation 522 Healthcare 15 Healthcare & Life Sciences 401 Immigration 11 Insurance 90 Labor & Employment 193 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 76 Securities & Markets 175 Tax 116 Telecom & Technology 56 Trade & Sanctions 169 Transportation 129

Get alerts for this source

We'll email you when CISA Cybersecurity Advisories publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!