CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling an urgent need for remediation across federal networks. The newly listed flaws include CVE‑2022‑26533, a remote‑code‑execution (RCE) vulnerability in SimpleHelp’s remote monitoring and management (RMM) software; CVE‑2022‑38379, an authentication‑bypass flaw in the same product; CVE‑2023‑38213, an arbitrary‑file‑upload issue in Samsung MagicINFO 9 Server; and CVE‑2021‑45382, a command‑injection vulnerability affecting D‑Link DIR‑823X series routers. All four CVEs have been observed being weaponized in the wild, with threat actors leveraging them to gain persistent access to targeted environments.

CISA’s KEV entry cites evidence from multiple incident reports and threat‑intelligence feeds confirming active exploitation, often associated with ransomware operators and advanced persistent threat (APT) groups. The inclusion of SimpleHelp’s two separate flaws underscores the software’s popularity as an entry point for supply‑chain attacks, while the Samsung MagicINFO flaw has been linked to campaigns targeting digital signage infrastructure. The D‑Link router flaw, dating back to 2021, remains a favored vector for botnet operators due to the device’s end‑of‑life status and limited firmware update cadence.

In a Binding Operational Directive (BOD) issued this week, CISA gave all Civilian Executive Branch agencies until May 25 2026 to apply mitigation measures for the listed vulnerabilities. The deadline aligns with the agency’s ongoing effort to shrink the window of opportunity for adversaries and reflects a phased approach to remediation that accounts for the complexity of updating embedded systems such as routers and server‑based applications. The directive also encourages private‑sector organizations to adopt the same timeline to strengthen the overall resilience of the national cyber ecosystem.

To remediate the risks, CISA recommends the following actions: for SimpleHelp, administrators should upgrade to the latest release that patches CVE‑2022‑26533 and CVE‑2022‑38379, enforce least‑privilege accounts, and isolate the management interface behind a VPN. For Samsung MagicINFO 9 Server, applying the vendor‑released patch for CVE‑2023‑38213 and disabling the file‑upload feature if not required are critical steps. Owners of D‑Link DIR‑823X devices should replace unsupported hardware where possible; if replacement is not feasible, they should apply the most recent firmware, disable remote‑management interfaces, and monitor for Indicators of Compromise (IOCs) such as unusual outbound traffic or unauthorized configuration changes.