Skip to content
⚖️ Risk Mgmt

CISA Adds Four Exploited Flaws to KEV — SimpleHelp RMT and Samsung MagicINFO Head New Additions

CISA's Known Exploited Vulnerabilities catalogue has grown by four entries including critical flaws in SimpleHelp remote management tooling and Samsung's MagicINFO digital signage platform. Federal agencies face a May 2026 remediation deadline. Enterprise operators of RMM tools and display infrastructure should treat these as urgent.

4 min read
#cisa-kev#simplehelp#samsung#rmm-tools#actively-exploited#compliance
Article security-risk-management

Federal Deadline Triggers for Four New Exploited Vulnerabilities

CISA has added four new entries to its Known Exploited Vulnerabilities (KEV) catalogue, designating them as confirmed under active exploitation and setting a remediation deadline for federal agencies in early May 2026. While Binding Operational Directive 22-01 formally mandates compliance for federal civilian executive branch agencies, the catalogue functions as a de facto priority list for enterprise defenders across all sectors.

The four new entries span remote management tooling and digital display infrastructure — categories that often receive less rigorous patch cadence than core network or identity systems.

SimpleHelp Remote Management Tool — Two Critical Flaws

CVE-2024-57726 and CVE-2024-57728 affect SimpleHelp, an on-premises remote management and monitoring (RMM) platform used by managed service providers and internal IT teams for remote support sessions.

CVE-2024-57726 — A missing authorisation check in the SimpleHelp server interface allows an unauthenticated remote attacker to enumerate user accounts, extract session tokens, and escalate to administrator access without credentials. CVSS 9.8.

CVE-2024-57728 — A path traversal vulnerability enables unauthenticated file read and write on the host server, allowing an attacker to overwrite configuration files or establish persistent access. CVSS 9.4.

SimpleHelp is deployed as an alternative to TeamViewer, ConnectWise ScreenConnect, and AnyDesk. Its presence in MSP environments makes it particularly high-value: compromising a SimpleHelp server grants access to every client endpoint the MSP manages through that platform. This attack surface mirrors the pattern exploited in the 2021 Kaseya VSA breach, where a single RMM server compromise cascaded to thousands of downstream victims. Threat actors have taken notice.

Samsung MagicINFO — Signage Platform RCE

CVE-2024-7399 is a remote code execution vulnerability in Samsung MagicINFO, the content management server used to centrally control Samsung commercial displays and digital signage. An authenticated attacker with any user-level account can upload arbitrary files to the server and execute them, achieving full server compromise.

MagicINFO is deployed in retail, hospitality, healthcare, corporate environments, and transport hubs. Though the attack surface may seem peripheral compared to core infrastructure, MagicINFO servers are frequently on-premises and connected to corporate networks, making them a lateral movement staging point. The vulnerability was publicly reported in late 2024; CISA’s KEV addition confirms threat actors have weaponised the available proof-of-concept.

The Broader RMM Tool Pattern

This is the fifth RMM-related addition to the KEV catalogue in 2026 alone. Remote management tools represent a structural risk: they are designed to provide broad authenticated access to endpoints, they are often internet-exposed for ease of use, and they tend to accumulate in enterprise environments through acquisitions and departmental procurement without appearing in centralised asset inventories.

The attack economics are straightforward. A single compromised RMM server yields authenticated access to every managed endpoint in its scope — making the effort-to-access ratio far more favourable than targeting individual systems.

  • Audit all SimpleHelp deployments across managed and unmanaged tenants; apply patches for CVE-2024-57726 and CVE-2024-57728 immediately; isolate any internet-exposed SimpleHelp instances pending patching
  • Rotate SimpleHelp credentials on any unpatched instance that had internet exposure; assume session token compromise and revoke all active sessions
  • Audit Samsung MagicINFO deployments: apply the latest patch, verify the server is not directly internet-accessible, and confirm network segmentation from sensitive zones
  • Conduct a formal RMM tool audit: inventory all remote management platforms in use — paid tools, open-source alternatives, and legacy deployments from acquired organisations
  • FCEB agencies: remediation is mandatory by the published BOD 22-01 deadline; confirm compliance through your agency’s vulnerability management process
  • Critical infrastructure operators: treat the May deadline as the target date regardless of the BOD applicability to your sector

Share this article

Related Intelligence

⚖️ Risk Mgmt

FTC Bans Kochava Subsidiary from Selling Sensitive Location Data in Landmark Enforcement Settlement

The US Federal Trade Commission has reached a settlement banning Kochava and its Collective Data Solutions subsidiary from selling sensitive location data derived from consumer mobile devices — marking the FTC's most significant enforcement action against the location data broker industry. The settlement establishes a precedent with direct implications for any organisation that monetises or purchases precise consumer location data, including advertising technology companies, retail analytics firms, and financial services using location data for fraud detection.

#ftc +9
⚖️ Risk Mgmt

CISA Flags SharePoint Zero-Day CVE-2026-32201 as Actively Exploited — Patch Arrives Tomorrow

CISA has added CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability under active exploitation, to the KEV catalogue with a 28 April remediation deadline. The timing is unusual: Microsoft has not yet released a patch as of this alert, with the fix expected in tomorrow's Patch Tuesday release. Organisations must decide whether to implement mitigations today or accept overnight exposure until the patch lands.

#microsoft +7
⚖️ Risk Mgmt

NIS2 Moves From Grace Period to Enforcement — Germany's BSI Registration Deadline Is Now

Eighteen months after the NIS2 transposition deadline, EU member states are moving from legislative implementation to active supervisory enforcement. Germany's BSI has set April 2026 as the registration deadline for essential and important entities under the national NIS2 implementation (NIS2UmsuCG). Organisations still treating NIS2 as a future requirement face immediate regulatory exposure as national competent authorities begin audit and penalty activity.

#nis2 +8