CISA KEV April 2026: Samsung MagicINFO, SimpleHelp and D‑Link Actively Exploited
6 Min. reading time
The CISA added eight new entries to its Known Exploited Vulnerabilities Catalog within one week at the end of April 2026. Three systems stand out: Samsung MagicINFO 9 Server, SimpleHelp Remote Support, and D-Link router models. In all three cases, active exploitation by botnets or ransomware groups has been documented. For DACH IT teams, the patch deadline expires on May 8, 2026.
Key Takeaways
- 8 KEV entries, 3 critical systems. CISA delivered one of the densest KEV batches since Q1 at the end of April 2026. Samsung MagicINFO, SimpleHelp, and D-Link have confirmed active in-the-wild exploitation.
- Botnet and ransomware directly involved. For Samsung MagicINFO, Mirai variant usage for DDoS recruitment has been proven. SimpleHelp vulnerabilities were used for ransomware staging.
- Patch deadline May 8, 2026. CISA requires US federal agencies to patch by May 8. DACH companies with NIS2 obligations should use the same deadline as a guide.
- EOL devices in scope. Several D-Link models in this KEV batch will no longer receive patches. Immediate action: prioritize network segmentation and replacement procurement.
What is the CISA KEV Catalog? The CISA Known Exploited Vulnerabilities Catalog is a list of CVEs maintained by the US Cybersecurity and Infrastructure Security Agency for which active exploitation in real-world attacks has been proven. The catalog serves as a mandatory patch list for US federal agencies and as a de facto prioritization tool for security teams worldwide.
Related: Fortinet CVE-2026-35616: Two critical FortiClient-EMS vulnerabilities
Samsung MagicINFO: Path traversal becomes botnet access
Samsung MagicINFO 9 Server is a digital signage management platform used in hotels, hospitals, shopping centers, and corporate lobbies worldwide. CVE-2024-7399 is a path traversal vulnerability with a CVSS score of 8.8 that allows authenticated users to write arbitrary files to the server – including executable web shell components.
What distinguishes the CISA addition in April 2026 from previous reports: Shadowserver Foundation and other honeypot operators have documented active scanning traffic and successful exploitation by Mirai-based botnet variants. Attackers primarily use MagicINFO servers for DDoS capacity, and secondarily as a pivoting point into adjacent network segments.
For DACH IT teams: Samsung has provided patches for all affected MagicINFO 9 versions. The critical question is whether MagicINFO servers in your own network are directly reachable from the internet. In many installations, this is the case – the platform manages displays via HTTP/HTTPS and is often deployed without VPN protection.
SimpleHelp: Authentication Bypass Paves Way for Ransomware
SimpleHelp is a remote support software that serves as a more affordable alternative to TeamViewer or AnyDesk in the SME segment and among Managed Service Providers. Three vulnerabilities were reported and patched in early 2025: CVE-2024-57727 (pre-authentication Path Traversal), CVE-2024-57728 (arbitrary file upload) and CVE-2024-57729 (privilege escalation for technician accounts).
The combination of these three CVEs is problematic: An attacker can use CVE-2024-57727 to access configuration files, extract credentials, and then escalate to an admin account via CVE-2024-57729. Field CIRT teams from several US agencies have documented this attack chain in active incident response operations in April 2026 – the exploitation was identified as a staging step prior to ransomware deployment.
The specific danger for MSPs: When SimpleHelp servers serve as a central remote access point for customer systems, an attacker after successful compromise potentially has access to all managed endpoints. The CISA inclusion increases the pressure to immediately identify unpatched SimpleHelp installations.
Numbers and Facts: CISA KEV April 2026
8
new KEV entries in the last week of April 2026
3
SimpleHelp CVEs combinable in an attack chain
08.05.
Patch deadline for US federal agencies (CISA BOD 22-01)
D-Link EOL Devices: No Patch, Act Immediately
Several D-Link models in the April batch belong to the End-of-Life category. D-Link has explicitly stated for these devices that it will no longer deliver security updates. The CISA KEV inclusion changes nothing in this regard – the only safe way is decommissioning or strict network segmentation.
In DACH networks, D-Link devices often appear as affordable perimeter components that have been in operation unchanged for years. This pattern is known from previous incident response cases: An outdated router in the external network as an initial access point from which attackers move into the internal network. NIS2 Article 21 obliges DACH companies to risk management for network components – EOL devices with known active exploitation are explicitly addressed in this obligation.
Priority Matrix for DACH IT Teams Until May 8
Patch Immediately (Critical)
- Samsung MagicINFO 9 Server – all versions before fix
- SimpleHelp Server – all versions before 5.3.9 / 5.4.10
- All D-Link devices with known CVEs from KEV batch
- Check exposed devices: directly internet-facing?
Immediate Actions Without Patch
- D-Link EOL: Network segmentation, no direct internet access
- SimpleHelp: Check logs for staging activity (last 30 days)
- MagicINFO: Web shell scan on server directories
- MSPs: Check all customer systems for SimpleHelp version
Source facts: CISA Known Exploited Vulnerabilities Catalog, Shadowserver Foundation April 2026, NVD CVE database.
Frequently Asked Questions
Does the CISA patch deadline also apply to DACH companies?
The CISA Binding Operational Directive 22-01 is formally only binding for US federal agencies. For DACH companies, it has no direct legal effect. In practice, however, NIS2 obligations (§ 21 NIS2UmsuCG) and BSI IT baseline protection requirements have a similar logic: Known exploited vulnerabilities must be remedied with risk-appropriate speed. The CISA deadline can be used as a proven orientation – especially if your own policies do not specify specific deadlines.
How do I check if SimpleHelp is affected in our environment?
Two verification paths: First, verify the version – the critical CVEs affect SimpleHelp before version 5.3.9 (for the 5.3.x branch) and before 5.4.10 (for the 5.4.x branch). Second, check logs – suspicious activities for CVE-2024-57727 appear as unusual HTTP requests to the path /interface/interface.html with path-traversal patterns like ../../. A SIEM alert on these patterns for the last 30 days is a useful quick check.
What to do if the affected D-Link device cannot be replaced?
Pragmatic interim measures: Remove the device from the direct internet path and place it behind a patched UTM/firewall device. Isolate the management interface on a separate, non-routed management VLAN. Force remote access to the device via VPN instead of directly. These measures significantly reduce the attack surface, but in the long term do not replace device renewal.
How many KEV entries has CISA published so far in 2026?
As of the end of April 2026, CISA has published over 80 new KEV entries in 2026. The pace is slightly above the comparable period in 2025. The current April batch is one of the largest single additions this year. The CISA website (cisa.gov/known-exploited-vulnerabilities-catalog) lists all entries with the addition date and patch deadline.
Source cover image: Pexels / Pavel Danilyuk (px:7658364)
