🚨 CRITICAL ALERT: Active Zero-Day Exploits

CISA has added two critical vulnerabilities (CVSS 8.8+), including CVE-2024-7399 linked to Mirai botnet deployment and CVE-2024-57726 enabling full server admin privilege escalation, to its Known Exploited Vulnerabilities catalog due to active in-the-wild exploitation. Federal agencies face a May 2026 remediation deadline—immediate action is required to prevent compromise of internet-facing systems.

Critical Vulnerabilities (CVSS >= 8.0)

• CVE-2024-7399 (CVSS: 8.8): Path traversal vulnerability in Samsung MagicINFO 9 Server (versions before 21.1050, and reportedly still vulnerable post-patch) allows unauthenticated attackers to write arbitrary files (including JSP shells) as SYSTEM authority, leading to remote code execution. Actively exploited for Mirai botnet deployment; PoC available since April 2025 with confirmed wild exploitation.View NVD | CISA KEV
• CVE-2024-57726 (CVSS: 9.9): SimpleHelp remote support software v5.5.7 and prior allows low-privileged technicians to create API keys with excessive permissions, enabling privilege escalation to server admin role.View NVD | CISA KEV

⚡ Immediate Actions Required

• Disconnect from internet: Take Samsung MagicINFO 9 Server and SimpleHelp servers offline immediately—no confirmed patches available for MagicINFO (version 21.1050 remains vulnerable).
• Apply vendor updates: Upgrade SimpleHelp beyond v5.5.7; monitor Samsung for true fix.
• Scan environments: Hunt for IOCs including Mirai payloads, anomalous JSP files on ports 7001/7002, and rogue API keys.
• Implement network controls: Block inbound traffic to affected ports/services; enforce least privilege for technicians.
• Federal BOD 22-01: Apply mitigations or discontinue use by May 8, 2026.

These flaws carry 99% EPSS exploitation probability for CVE-2024-7399—act now to avoid botnet conscription or full server takeover.