βš–οΈ Risk Mgmt

CISA Adds Four Exploited Flaws to KEV β€” SimpleHelp RMT and Samsung MagicINFO Head New Additions

CISA's Known Exploited Vulnerabilities catalogue has grown by four entries including critical flaws in SimpleHelp remote management tooling and Samsung's MagicINFO digital signage platform. Federal agencies face a May 2026 remediation deadline. Enterprise operators of RMM tools and display infrastructure should treat these as urgent.

4 min read
#cisa-kev#simplehelp#samsung#rmm-tools#actively-exploited#compliance

Federal Deadline Triggers for Four New Exploited Vulnerabilities

CISA has added four new entries to its Known Exploited Vulnerabilities (KEV) catalogue, designating them as confirmed under active exploitation and setting a remediation deadline for federal agencies in early May 2026. While Binding Operational Directive 22-01 formally mandates compliance for federal civilian executive branch agencies, the catalogue functions as a de facto priority list for enterprise defenders across all sectors.

The four new entries span remote management tooling and digital display infrastructure β€” categories that often receive less rigorous patch cadence than core network or identity systems.

SimpleHelp Remote Management Tool β€” Two Critical Flaws

CVE-2024-57726 and CVE-2024-57728 affect SimpleHelp, an on-premises remote management and monitoring (RMM) platform used by managed service providers and internal IT teams for remote support sessions.

CVE-2024-57726 β€” A missing authorisation check in the SimpleHelp server interface allows an unauthenticated remote attacker to enumerate user accounts, extract session tokens, and escalate to administrator access without credentials. CVSS 9.8.

CVE-2024-57728 β€” A path traversal vulnerability enables unauthenticated file read and write on the host server, allowing an attacker to overwrite configuration files or establish persistent access. CVSS 9.4.

SimpleHelp is deployed as an alternative to TeamViewer, ConnectWise ScreenConnect, and AnyDesk. Its presence in MSP environments makes it particularly high-value: compromising a SimpleHelp server grants access to every client endpoint the MSP manages through that platform. This attack surface mirrors the pattern exploited in the 2021 Kaseya VSA breach, where a single RMM server compromise cascaded to thousands of downstream victims. Threat actors have taken notice.

Samsung MagicINFO β€” Signage Platform RCE

CVE-2024-7399 is a remote code execution vulnerability in Samsung MagicINFO, the content management server used to centrally control Samsung commercial displays and digital signage. An authenticated attacker with any user-level account can upload arbitrary files to the server and execute them, achieving full server compromise.

MagicINFO is deployed in retail, hospitality, healthcare, corporate environments, and transport hubs. Though the attack surface may seem peripheral compared to core infrastructure, MagicINFO servers are frequently on-premises and connected to corporate networks, making them a lateral movement staging point. The vulnerability was publicly reported in late 2024; CISA’s KEV addition confirms threat actors have weaponised the available proof-of-concept.

The Broader RMM Tool Pattern

This is the fifth RMM-related addition to the KEV catalogue in 2026 alone. Remote management tools represent a structural risk: they are designed to provide broad authenticated access to endpoints, they are often internet-exposed for ease of use, and they tend to accumulate in enterprise environments through acquisitions and departmental procurement without appearing in centralised asset inventories.

The attack economics are straightforward. A single compromised RMM server yields authenticated access to every managed endpoint in its scope β€” making the effort-to-access ratio far more favourable than targeting individual systems.

  • Audit all SimpleHelp deployments across managed and unmanaged tenants; apply patches for CVE-2024-57726 and CVE-2024-57728 immediately; isolate any internet-exposed SimpleHelp instances pending patching
  • Rotate SimpleHelp credentials on any unpatched instance that had internet exposure; assume session token compromise and revoke all active sessions
  • Audit Samsung MagicINFO deployments: apply the latest patch, verify the server is not directly internet-accessible, and confirm network segmentation from sensitive zones
  • Conduct a formal RMM tool audit: inventory all remote management platforms in use β€” paid tools, open-source alternatives, and legacy deployments from acquired organisations
  • FCEB agencies: remediation is mandatory by the published BOD 22-01 deadline; confirm compliance through your agency’s vulnerability management process
  • Critical infrastructure operators: treat the May deadline as the target date regardless of the BOD applicability to your sector

Share this article