April 2026 CISA KEV: 12 Vulnerabilities in a Week, Ransomware Alert

CISA added 12 exploited vulnerabilities to the KEV catalog from April 20-24, 2026. SimpleHelp, D-Link, and Samsung are among the affected brands. Details insid…

April 2026 CISA KEV: 12 Vulnerabilities in a Week, Ransomware Alert
April 2026 CISA KEV: 12 vulnerabilities in a week, ransomware alert

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published two separate updates to the Known Exploited Vulnerabilities (KEV) catalog within just a few days, between April 20 and 24, 2026. The acceleration of these publications reflects an intensification of threats actively exploited in the field, with a total of 12 vulnerabilities added and tight deadlines for federal agencies.

The Double Update of the KEV Catalog

On Monday, April 20, 2026, CISA added 8 new vulnerabilities to the KEV catalog, followed by a second update on Friday, April 24, with an additional 4 CVEs. The unusual frequency of two publications in the same week signals an escalation of threats requiring immediate attention from system administrators and security managers.

Vulnerabilities added on April 24 include CVE-2024-57726 (CVSS 9.9) and CVE-2024-57728 (CVSS 7.2) in SimpleHelp software, CVE-2024-7399 (CVSS 8.8) in Samsung MagicINFO 9 Server, and CVE-2025-29635 (CVSS 7.5) in D-Link DIR-823X routers. The April 20 update included CVE-2025-32975 (CVSS 10.0) in Quest KACE SMA and CVE-2023-27351 (CVSS 8.2) in PaperCut NG/MF, among others.

SimpleHelp: Vulnerabilities with Ransomware Impact

The two flaws identified in SimpleHelp present distinct risk profiles. CVE-2024-57726, classified with a CVSS score of 9.9, is a missing authorization vulnerability that allows technicians with reduced privileges to generate API keys with excessive permissions. CVE-2024-57728, with a CVSS of 7.2, represents a path traversal vulnerability exploitable via zip slip attacks to achieve arbitrary code execution on target systems.

According to reports from Field Effect and Sophos, the SimpleHelp vulnerabilities were used as a starting point for ransomware attacks attributed to the DragonForce group. This exploitation chain highlights how remote support products remain favored vectors for attackers.

Mirai Variants and End-of-Life Devices

CVE-2024-7399 in Samsung MagicINFO 9 Server has been linked to deployments of the Mirai botnet. The vulnerability, with a CVSS of 8.8, exposes servers to compromises that can fuel DDoS campaigns and large-scale malware propagation.

In parallel, CVE-2025-29635 affects D-Link DIR-823X routers via a command injection vulnerability. Akamai recorded active exploitation attempts in the week preceding April 25, 2026, delivering a Mirai variant named 'tuxnokill'. The D-Link DIR-823X router is an end-of-life device, meaning it is no longer supported by the manufacturer with security updates.

Approaching Federal Deadlines

For Federal Civilian Executive Branch (FCEB) agencies, CISA set a deadline of May 8, 2026, to apply patches or decommission affected D-Link DIR-823X devices for CVE-2025-29635. The ultimatum underscores the severity attributed to ongoing threats and the need for timely intervention on devices no longer maintained by the vendor.

Multiple Threat Actors and Geolocation of Attacks

The attribution of the campaigns highlights a diversification of active groups. UAC-0233 has exploited ZCS vulnerabilities (CVE-2025-48700 and CVE-2025-66376) against Ukrainian entities since September 2025. According to CERT-UA, "Upon successful compromise, the attackers gained access to mailbox contents, including correspondence compiled into a TGZ archive, multi-factor authentication backup codes, application passwords, and the global address book".

CVE-2023-27351 in PaperCut NG/MF was instead attributed to the Lace Tempest group for attacks conducted in April 2023 using Cl0p and LockBit ransomware. CVE-2025-32975 in Quest KACE SMA, with the maximum score of CVSS 10.0, was weaponized by unidentified threat actors on unpatched systems until late March 2026.

Frequently Asked Questions

What is the CISA KEV catalog?
The Known Exploited Vulnerabilities catalog is an official list of vulnerabilities actively exploited in the wild, which imposes mitigation obligations on US federal agencies within defined deadlines.
Which products are affected by the April 2026 KEV updates?
Involved products include SimpleHelp, Samsung MagicINFO 9 Server, D-Link DIR-823X routers, Quest KACE SMA, PaperCut NG/MF, and Cisco Catalyst SD-WAN Manager, among others.
What does it mean when a device is end-of-life?
An end-of-life device no longer receives security updates from the manufacturer. In these cases, the only effective mitigation is decommissioning or isolation from the network.

This article is a summary based exclusively on the sources listed.

Sources