Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week.

🚨 Critical: CISA Known Exploited Vulnerabilities

These vulnerabilities are being actively exploited in the wild. Immediate action required.

Vendor/Product: D-Link DIR-823X

Description: D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Due Date: 2026-05-08

Reference: CVE-2025-29635 - NVD

Expert take: The note that this product is likely end-of-life is the most important part of this entry. If D-Link isn’t issuing patches, there’s no fix coming — the only real option is to remove or replace the device. EoL networking hardware sitting on a corporate or even home office network is a persistent blind spot, especially in smaller organizations where nobody’s tracking device lifecycles. Command injection via a POST request is trivially exploitable once an attacker has any foothold on the network. If you’re running this device, pull it. If you’re not sure what networking hardware is in your environment, that’s a separate problem worth fixing.

CVE-2024-7399: Samsung MagicINFO 9 Server Path Traversal Vulnerability

Vendor/Product: Samsung MagicINFO 9 Server

Description: Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Due Date: 2026-05-08

Reference: CVE-2024-7399 - NVD

Expert take: MagicINFO is digital signage management software — the kind of system that manages screens in lobbies, boardrooms, and retail floors. It doesn’t usually get the same patching attention as core infrastructure, which is exactly why it ends up on lists like this. Writing arbitrary files as system authority means an attacker can drop malicious content anywhere on the server — web shells, backdoors, config overwrites. If your org runs any digital signage or AV management software, check whether it’s on a dedicated network segment isolated from your core environment. These systems are often overlooked in vulnerability management programs. They shouldn’t be.

CVE-2024-57728: SimpleHelp Path Traversal Vulnerability

Vendor/Product: SimpleHelp

Description: SimpleHelp contains a path traversal vulnerability that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Due Date: 2026-05-08

Reference: CVE-2024-57728 - NVD

Expert take: Two SimpleHelp CVEs on the same list this week — look at both together, because they’re worse in combination. This one is a zip slip vulnerability: an attacker uploads a crafted archive that extracts files outside the intended directory. If an attacker can get to the admin panel — or escalate to it via CVE-2024-57726 below — they can write arbitrary files and get code execution on the host. SimpleHelp is a remote support tool, so it typically has broad access to endpoints by design. That makes compromise of the SimpleHelp server a high-impact event. Patch both CVEs, then audit who has admin access to your SimpleHelp instance.

CVE-2024-57726: SimpleHelp Missing Authorization Vulnerability

Vendor/Product: SimpleHelp

Description: SimpleHelp contains a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Due Date: 2026-05-08

Reference: CVE-2024-57726 - NVD

Expert take: This is the privilege escalation path that makes CVE-2024-57728 above much more dangerous. A low-privileged technician account — the kind that might be shared, reused, or held by a contractor — can generate API keys with full admin permissions. From there, the path to full server compromise is straightforward. The risk isn’t just external attackers either. If you have multiple people with technician-level access to SimpleHelp, this is also an insider risk. Review who has access, rotate any existing API keys, and patch immediately. Don’t treat these two CVEs separately.

CVE-2026-39987: Marimo Remote Code Execution Vulnerability

Vendor/Product: Marimo

Description: Marimo contains a pre-authorization remote code execution vulnerability, allowing an unauthenticated attacker to gain shell access and execute arbitrary system commands.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA Due Date: 2026-05-07

Reference: CVE-2026-39987 - NVD

Expert take: Marimo showed up in last week’s digest as a news story — now it’s on the KEV list. That escalation matters. Pre-auth RCE means no credentials needed, no barrier at all if the service is reachable. Marimo is a Python notebook environment and it often runs on data platforms, developer machines, or internal analytics infrastructure that gets treated as low-risk. If it’s internet-facing or accessible outside your VPN, that needs to change today. Patch it, restrict it, or both. The fact that it moved from “under active exploitation” news to a formal KEV entry in one week tells you attackers are actively using this.

đź“° This Week’s Security News

American utility firm Itron discloses breach of internal IT network

Itron, Inc. has disclosed, via an 8-K filing with the U.S. Securities and Exchange Commission (SEC), a cybersecurity incident in which an unauthorized third party accessed certain internal systems.

Read more: American utility firm Itron discloses breach of internal IT network

Expert take: The 8-K filing route is worth noting — SEC disclosure requirements have changed how quickly public companies have to report incidents, and the market is watching. Itron makes smart grid and utility metering infrastructure, so the concern here isn’t just IT data. It’s whether access to internal systems could provide visibility into operational technology networks or customer utility data. For financial services firms, the indirect exposure is in your third-party risk program: if any vendors or service providers rely on Itron infrastructure, that’s a conversation to have. More broadly, utility sector breaches are a reminder that critical infrastructure dependencies sit underneath a lot of things we don’t think about.

ADT confirms data breach after ShinyHunters leak threat

Home security giant ADT has confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid.

Read more: ADT confirms data breach after ShinyHunters leak threat

Expert take: ShinyHunters is a well-known extortion group with a long track record of large-scale data theft. ADT collects a significant amount of sensitive customer data — home addresses, security system configurations, contact information — which makes this breach more than just a credential dump. The extortion model here is also worth understanding: the threat of public leak is the leverage, not ransomware encryption. That means paying doesn’t guarantee the data disappears. If your org uses ADT for physical security monitoring at any facilities, flag this to your physical security and risk teams. And if any employees use ADT at home, they should be watching for targeted phishing using their personal details.

New BlackFile extortion group linked to surge of vishing attacks

A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026.

Read more: New BlackFile extortion group linked to surge of vishing attacks

Expert take: Vishing — voice phishing — is having a moment right now. BlackFile’s approach involves calling employees directly, impersonating IT support or vendors, and talking them into providing credentials or remote access. It works because most security awareness training focuses on email phishing and employees aren’t prepared for a convincing phone call. The retail and hospitality targeting makes sense: high staff turnover, lots of part-time employees, help desk processes that are built for speed over security. If your org has a customer-facing or service desk function, this is worth adding to your next security awareness session. The script is always some variation of “IT here, we need your credentials to fix an urgent issue.” Train people to verify through a separate channel before giving anything.

âś… What You Should Do This Week

  • Immediate: Patch CVE-2024-57728 and CVE-2024-57726 together — these two SimpleHelp CVEs chain into full server compromise
  • Replace: If you’re running D-Link DIR-823X, it’s EoL — remove it, don’t wait for a patch that isn’t coming
  • Patch: CVE-2024-7399 (Samsung MagicINFO) and CVE-2026-39987 (Marimo) — both deadline May 7–8
  • Verify: Check your systems against the CISA KEV catalog
  • Audit: Review who has technician-level access to any remote support tools and rotate API keys
  • Third-party risk: If any vendors rely on Itron or ADT infrastructure, initiate a check-in
  • Awareness: Add vishing to your next security awareness touchpoint — BlackFile is actively using it

📬 Stay Updated

Subscribe to receive weekly security digests directly in your inbox.

Questions or feedback? Contact us

GRC Vitrix provides cloud security and compliance intelligence for financial services professionals. This digest is curated from publicly available sources including CISA, Microsoft MSRC, and industry news.