The US IT security authority CISA has observed attacks on SimpleHelp, Samsung MagicINFO and D-Link DIR-823X. Some of the security holes attacked are a little older.
Read more after the ad
In the CISA warning, the agency lists the vulnerability entries. The attacks currently underway targeting gaps in the SimpleHelp RMM remote maintenance tool appear to be the most serious. One of them allows low-privilege attackers to create high-privilege API keys and thus gain the server admin role (CVE-2024-57726, CVSS 9.9Risk „critical“). The other allows the upload of manipulated ZIP files, which transport files to any location on the file system and thus allow the execution of your own code with the rights of the SimpleHelp server (CVE-2024-57728, CVSS 7.2Risk „hoch“). Version 5.5.8 or later corrects the problems. However, the vulnerabilities were already attacked in January 2025. Apparently some admins still have not applied the available updates.
Samsung MagicINFO 9 Server is a digital signage platform for controlling displays in companies and public institutions. Due to a vulnerability, attackers can write arbitrary files to the system with system rights. This apparently allows injected code to be executed. The vulnerability CVE-2024-7399 (CVSS 9.8Risk „critical“) is already a bit older, Samsung has given it an update in August 2024. Activating the automatic update via “Menu” – “Support” – “Software Update” should find the update and push it to the device.
Botnet on EOL router
Malicious actors are also targeting the D-Link DIR-823X routers. This allows attackers from the network to execute arbitrary commands after logging in (CVE-2025-29635, CVSS 7.2Risk „hoch“). However, support for these routers has already expired on November 15, 2024. Anyone who still has such an outdated device in the IT environment should quickly replace it with a device that is provided with security updates by the manufacturer. The cloud and security provider Akamai reported last week about attacks on D-Link routers by the Mirai botnet, which is spreading on these outdated devices. The company provides Snort and Yara rules with which it is known Detect attacks and malware.
No further information is known about the other current attacks, such as the type, scope or indicators of successful attacks (Indicators of Compromise, IOC). However, IT managers should apply the available updates quickly.
(dmk)
