heise PlusAbo
Anzeige

Attacks on SimpleHelp, Samsung MagicINFO, and D-Link DIR-823X observed

The US agency CISA warns of observed attacks on vulnerabilities in SimpleHelp, Samsung MagicINFO, and D-Link DIR-823X.

listen Print view
Zeros and ones, with the string ATTACK hidden within

(Image: heise online / dmk)

3 min. read
Security
By

The US cybersecurity agency CISA has observed attacks on SimpleHelp, Samsung MagicINFO, and D-Link DIR-823X. The exploited vulnerabilities are partly a bit older.

In the CISA alert, the agency lists the vulnerability entries. The most serious appear to be the currently ongoing attacks on vulnerabilities in the remote maintenance tool SimpleHelp RMM. One of them allows attackers with low privileges to create API keys with far-reaching rights and thus gain server administrator roles (CVE-2024-57726, CVSS 9.9, Risk “critical”). The other allows the upload of manipulated ZIP files that move files to arbitrary locations in the file system, thus allowing the execution of own code with the rights of the SimpleHelp server (CVE-2024-57728, CVSS 7.2, Risk “high”). Version 5.5.8 or newer corrects the problems. However, the vulnerabilities were already attacked in January 2025. Apparently, some administrators have still not applied the available updates.

Samsung MagicINFO 9 Server is a digital signage platform for controlling displays in companies and public institutions. Due to a vulnerability, attackers can write arbitrary files to the system with system privileges. This apparently allows the execution of injected code. The vulnerability CVE-2024-7399 (CVSS 9.8, Risk “critical”) is already a bit older; Samsung addressed it with an update in August 2024. Activating the automatic update via “Menu” - “Support” - “Software Update” should find the update and deliver it to the device.

Botnet on EOL Routers

Malicious actors are also targeting D-Link DIR-823X routers. In these, attackers can execute arbitrary commands from the network after logging in (CVE-2025-29635, CVSS 7.2, Risk “high”). However, support for these routers expired on November 15, 2024. Anyone still having such an outdated device in their IT environment should replace it immediately with a device that is supplied with security updates by the manufacturer. Cloud and security provider Akamai reported last week on attacks on D-Link routers by the Mirai botnet, which is spreading on these outdated devices. The company provides Snort and Yara rules that can be used to detect known attacks and malware.

Videos by heise

No further information is known about the other current attacks regarding their nature, scope, or indicators of compromise (IOC). However, IT managers should promptly apply the available updates.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten