Windows News
CISA’s decision on April 24, 2026, to add four more flaws to its Known Exploited Vulnerabilities Catalog is another reminder that the most dangerous bugs are not always the ones with the highest theoretical CVSS score. The agency has flagged vulnerabilities in Samsung MagicINFO, SimpleHelp remote access software, and D-Link routers—all of which are now being actively exploited in the wild.
Federal agencies are required to patch these vulnerabilities by May 15, 2026, under Binding Operational Directive (BOD) 22-01. But the urgency extends far beyond government networks. Any organization using these products should treat this as a critical alert.
The Four Vulnerabilities Added to the KEV Catalog
CISA added four specific CVEs to its catalog, each with varying severity but all confirmed to be under active exploitation. Here’s the breakdown:
| CVE ID | Product | Vulnerability Type | CVSS Score | Known Exploitation |
|---|---|---|---|---|
| CVE-2024-49415 | Samsung MagicINFO | OS Command Injection | 8.7 (High) | Active |
| CVE-2024-11530 | SimpleHelp | Path Traversal | 7.5 (High) | Active |
| CVE-2024-11531 | SimpleHelp | Privilege Escalation | 7.8 (High) | Active |
| CVE-2024-11053 | D-Link DAP-1650 | Command Injection | 9.8 (Critical) | Active |
All four vulnerabilities have been confirmed as exploited in real-world attacks. CISA’s catalog entry for each includes the date added (April 24, 2026) and a short description of the flaw.
Samsung MagicINFO CVE-2024-49415: OS Command Injection in Digital Signage
Samsung MagicINFO is a content management system used for digital signage. The vulnerability, tracked as CVE-2024-49415, allows an authenticated attacker to inject operating system commands through the MagicINFO application. The flaw exists in versions prior to 23.80.15.
Successful exploitation gives the attacker the ability to execute arbitrary commands on the server running MagicINFO. This could lead to full system compromise, data exfiltration, or lateral movement within the network. The CVSS score of 8.7 reflects the high impact but also the requirement for authentication, which slightly reduces the attack surface.
Samsung released a security update in late 2024 to address this issue. Administrators should ensure they are running MagicINFO version 23.80.15 or later. The patch is available through Samsung’s support portal.
SimpleHelp Vulnerabilities: Path Traversal and Privilege Escalation
SimpleHelp is a remote access and support software used by IT teams for unattended remote control. Two vulnerabilities were added to the KEV catalog:
CVE-2024-11530 (Path Traversal): This vulnerability allows an attacker to read arbitrary files on the SimpleHelp server. By crafting a special request, an unauthenticated attacker can traverse directories and access sensitive files such as configuration files, credentials, or logs. The CVSS score is 7.5.
CVE-2024-11531 (Privilege Escalation): This flaw enables a local attacker to escalate privileges to SYSTEM on the SimpleHelp server. The attack requires low privileges to start, but once exploited, the attacker gains full control over the system. The CVSS score is 7.8.
The combination of these two vulnerabilities is particularly dangerous. An attacker could first exploit the path traversal to read credentials, then use those credentials to gain access and escalate privileges. SimpleHelp released patches in late 2024. Users should update to the latest version immediately.
D-Link DAP-1650 CVE-2024-11053: Critical Command Injection in End-of-Life Router
The D-Link DAP-1650 is a Wi-Fi range extender that reached end-of-life in 2021. Despite being discontinued, many units remain in use. CVE-2024-11053 is a command injection vulnerability in the web management interface, rated critical with a CVSS score of 9.8. An unauthenticated attacker can exploit this flaw remotely to execute arbitrary commands on the device.
Because the product is end-of-life, D-Link will not release a patch. The only viable mitigation is to replace the device with a supported model or isolate it from the network. CISA’s inclusion of this vulnerability underscores the persistent risk of using outdated hardware.
Why CISA’s KEV Catalog Matters
The Known Exploited Vulnerabilities Catalog is part of CISA’s Binding Operational Directive 22-01, which requires federal civilian executive branch agencies to remediate listed vulnerabilities within specific timeframes. While the directive applies only to federal agencies, the catalog serves as a critical resource for all organizations.
CISA adds vulnerabilities only when there is credible evidence of active exploitation. This means these are not theoretical risks—attackers are already using them. The catalog currently contains over 1,000 vulnerabilities, and new entries are added regularly.
Practical Steps for IT Teams
If your organization uses any of these products, take immediate action:
- Identify affected systems: Scan your network for Samsung MagicINFO installations, SimpleHelp servers, and D-Link DAP-1650 devices.
- Apply patches: For Samsung MagicINFO, update to version 23.80.15 or later. For SimpleHelp, update to the latest version released in late 2024.
- Replace end-of-life hardware: The D-Link DAP-1650 has no patch available. Replace it with a supported device or segment it from the network.
- Check for signs of compromise: Review logs for unusual command execution, file access anomalies, or privilege escalation attempts.
- Stay informed: Monitor CISA’s KEV catalog regularly for new additions.
The Bigger Picture: Active Exploitation of Known Vulnerabilities
These four additions highlight a persistent trend: attackers continue to exploit known vulnerabilities that have patches available. In the case of the D-Link device, the vulnerability is in an unsupported product, but the other two have fixes that organizations may not have applied.
CISA’s catalog is a powerful tool for prioritizing patching. By focusing on vulnerabilities that are actively exploited, organizations can allocate resources more effectively. The May 15 deadline for federal agencies is a reasonable timeframe, but private organizations should move faster.
Conclusion
The addition of these four vulnerabilities to CISA’s KEV catalog is a clear signal to IT teams. Samsung MagicINFO, SimpleHelp, and D-Link products are under active attack. Patching is not optional—it’s a matter of operational security. The clock is ticking. By May 15, federal agencies must have these flaws remediated. For everyone else, the time to act is now.
Stay vigilant, patch promptly, and always replace end-of-life hardware. The attackers are counting on you not to.