What happened

Lyrie Threat Intelligence is flagging a convergence across four recent, actively exploited advisories that map cleanly to CISA KEV prioritization logic: two SimpleHelp server vulnerabilities, one Samsung MagicINFO 9 Server issue, and a D-Link DIR‑823x firmware flaw CVE‑2024‑57726, CVE‑2024‑57728, CVE‑2024‑7399, and CVE‑2025‑29635.

Each advisory is tagged “actively exploited,” putting them into the highest urgency band for patching and mitigation workflows CVE‑2024‑57726 CVE‑2024‑57728 CVE‑2024‑7399 CVE‑2025‑29635.

These four sit squarely in the class of internet‑exposed admin or device management surfaces that CISA’s Known Exploited Vulnerabilities (KEV) program is designed to spotlight for rapid remediation CISA KEV Catalog.

Why it matters

KEV entries drive federal and private‑sector patch SLAs because CISA only catalogs vulnerabilities with verified in‑the‑wild exploitation and available fixes or mitigations, making them near‑term risk multipliers CISA KEV Catalog.

All four targets are classic perimeter or quasi‑perimeter services—remote support, digital signage management, and consumer/SMB routing—frequently exposed to the internet and operated with limited hardening, which accelerates exploit ROI for attackers CVE‑2024‑57726 CVE‑2024‑7399 CVE‑2025‑29635.

CISA’s Binding Operational Directive framework treats KEV as a patch‑by‑date obligation for federal agencies and a de‑facto yardstick for everyone else, pushing teams to fix what’s actively being hit before everything else CISA KEV Catalog.

Technical detail

• CVE‑2024‑57726 targets the SimpleHelp remote support stack, a role typically reachable over the network for remote admin and support, which makes exploitation attempts operationally simple and scalable for threat actors CVE‑2024‑57726.
• CVE‑2024‑57728 is a second SimpleHelp issue in the same product family, signaling that clustered exploitation against that ecosystem is probable once scanning identifies exposed servers CVE‑2024‑57728.
• CVE‑2024‑7399 impacts Samsung’s MagicINFO 9 Server, a centralized digital signage manager that often runs with elevated backend privileges, which expands blast radius if compromised CVE‑2024‑7399.
• CVE‑2025‑29635 hits D‑Link DIR‑823x series firmware, placing consumer/SMB edge routing directly in scope for compromise, lateral movement, or botnet conscription once reachable from the internet or WAN side CVE‑2025‑29635.

The shared pattern is straightforward and dangerous: exposed management planes plus verified exploitation means these are high‑volume targets for automated scanning and spray‑style attacks, which mirrors why KEV exists as a minimum viable prioritization list CISA KEV Catalog.

Operationally, defenders should treat these as likely pre‑auth or low‑friction attack surfaces because the affected products are designed to accept inbound sessions before any deep trust decisions are made, which compresses attacker dwell time from probe to execution CVE‑2024‑57726 CVE‑2024‑7399.

Even when exploitation requires some configuration nuance, the exposure class ensures mass‑exploitation attempts will be noisy and rapid once working methods circulate, which aligns with “actively exploited” status across all four advisories CVE‑2024‑57728 CVE‑2025‑29635.

Defense

• Inventory and exposure control: enumerate internet‑reachable instances of SimpleHelp, MagicINFO, and DIR‑823x series devices, then gate with VPN or IP allow‑lists to remove opportunistic attack paths CVE‑2024‑57726 CVE‑2024‑7399 CVE‑2025‑29635.
• Patch with prejudice: apply the latest vendor‑released fixes or mitigations referenced in the advisories and document completion against your KEV‑aligned patch queue for auditability and recurrence tracking CISA KEV Catalog.
• Compensating controls: where patching lags, deploy WAF/edge rulesets to restrict method verbs and suspicious paths for the affected services, and enforce strong auth on any public admin endpoints to cut drive‑by attempts CVE‑2024‑57728 CVE‑2024‑7399.
• Monitor and triage: treat anomalous spikes in inbound connections, repeated 4xx/5xx sequences, and unusual process spawns or config changes on these hosts as incident triggers tied to the CVEs’ active exploitation status CVE‑2024‑57726 CVE‑2025‑29635.
• IR readiness: assume compromise if you find unpatched, exposed instances and pivot immediately to credential rotation, log preservation, and fresh image deployment where feasible, prioritizing services mapped to KEV‑class risk CISA KEV Catalog.

Lyrie Verdict

These four advisories tick every box for automated adversaries: exposed control planes, verified exploitation, and heterogeneous targets with long‑tail deployments, which makes them prime KEV‑priority candidates for immediate action CISA KEV Catalog.

Lyrie treats live exploitation signals tied to SimpleHelp, MagicINFO, and DIR‑823x as machine‑speed priorities—our detectors weight edge‑service telemetry and raise autonomous blocks when we observe exploitation sequences associated with these CVEs across monitored perimeters CVE‑2024‑57726 CVE‑2024‑7399 CVE‑2025‑29635.

The immediate move: patch or isolate all exposed instances, then enforce KEV‑first remediation sequencing so these four cannot serve as entry points for automated exploitation crews targeting your edge CISA KEV Catalog.