What Happened
CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on April 24, 2026, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate by May 8. The four CVEs span three products widely deployed in enterprise and SMB environments.
SimpleHelp — two flaws confirmed in active use as ransomware precursors by the DragonForce operation:
- CVE-2024-57726 (CVSS 9.9): Missing authorization allows low-privileged technicians to generate API keys with admin-level permissions, enabling full server takeover.
- CVE-2024-57728 (CVSS 7.2): Path traversal in the admin interface allows upload of arbitrary files anywhere on the file system via a crafted zip, leading to remote code execution.
Samsung MagicINFO 9 Server — CVE-2024-7399 (CVSS 8.8): A path traversal flaw allows an unauthenticated attacker to write arbitrary files as SYSTEM authority. Mirai botnet variants are actively exploiting this flaw against internet-exposed instances.
D-Link DIR-823X — CVE-2025-29635 (CVSS 7.5): A command injection vulnerability in these home and SMB routers enables authorized attackers to execute arbitrary commands on the device. Active exploitation by Mirai-family malware has been confirmed. Source: The Hacker News
Why This Matters for Canadian Organizations
SimpleHelp is a remote support and remote monitoring and management (RMM) tool used by managed service providers and internal IT teams throughout Canada. The DragonForce ransomware operation’s confirmed use of these flaws as precursors means Canadian MSPs and the small and medium businesses they serve face a direct ransomware delivery risk through a tool meant to protect and manage their infrastructure. Any SimpleHelp deployment running versions prior to the patched release is a potential ransomware entry point today.
Samsung MagicINFO is a digital signage management platform installed on networks in Canadian retail, hospitality, transit systems, and public venues. Unauthenticated file write as SYSTEM against an internet-exposed MagicINFO server gives an attacker full control of the host and potentially a foothold into adjacent network segments. Organizations managing digital signage infrastructure should treat this as an urgent remediation rather than a routine patch.
D-Link DIR-823X routers are commonly found in Canadian SMB and home-office environments. With hybrid work still the norm for many Canadian professionals, routers at remote worker locations represent an attack surface that connects directly into corporate VPNs and zero-trust access systems. A compromised router at an employee’s home or small office gives attackers a persistent network-level position from which to intercept traffic, pivot, or disrupt connectivity. The CCCS has consistently flagged end-of-life and unpatched edge devices as a primary attack vector in its annual threat reporting.
PIPEDA and sector-specific regulations such as OSFI B-13 place affirmative obligations on Canadian organizations to protect personal and financial data. A ransomware intrusion through an unpatched SimpleHelp instance, or data exfiltration via a compromised MagicINFO server, creates breach notification obligations under federal and provincial privacy law.
What to Do
Patch SimpleHelp immediately. Review your deployment for the specific vulnerable versions and apply the latest update. Audit API key permissions and revoke any keys with unexplained elevated access.
Check whether Samsung MagicINFO 9 Server is internet-exposed in your environment. If it does not require direct internet access, place it behind a firewall or network access control policy and apply the vendor patch. Scan for evidence of unauthorized file writes on the host.
For D-Link DIR-823X routers, check whether firmware updates are available. If the device is end-of-life with no available patch, replace it. Prioritize router replacements for employees whose home networks connect to corporate systems via VPN.
Organizations that do not directly manage these products should verify with their MSPs and managed security service providers whether any of these CVEs are present in their managed estate and confirm remediation timelines in writing.
