U.S. CISA Catalogs SimpleHelp Vulnerability as Known Exploited Threat

February 14, 2025

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has incorporated a SimpleHelp flaw, labeled as CVE-2024-57727, into its Known Exploited Vulnerabilities (KEV) catalog. This comes after Horizon3 researchers identified three vulnerabilities in SimpleHelp at the end of January, namely CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728. These vulnerabilities can be exploited to compromise a SimpleHelp server, as well as client machines under its management. The most critical vulnerability, CVE-2024-57727, with a CVSS score of 7.5, is an unauthenticated path traversal issue that allows attackers to download arbitrary files from the server. This includes sensitive data such as the serverconfig.xml file, which contains hashed admin and technician passwords, LDAP credentials, and other encrypted secrets. Horizon3 reported the issue to SimpleHelp on Jan. 6, 2025, and a patch version 5.3.9 was released a week later. Arctic Wolf, a security firm, has reported an ongoing campaign targeting SimpleHelp servers. The attacks are allegedly exploiting the aforementioned vulnerabilities and started a week after their public disclosure. The attackers could potentially download files, upload files with admin privileges, and escalate their access to an administrative level on vulnerable servers. Arctic Wolf observed unauthorized access to devices running SimpleHelp RMM software as an initial access vector, a week prior to the emergence of this campaign. The first sign of intrusion was communication with an unapproved SimpleHelp server. However, the session was terminated early, preventing further action. To mitigate risks, experts recommend uninstalling unused SimpleHelp client software from past support sessions, rotating passwords for admin and technician accounts, and restricting IP logins on SimpleHelp servers. The Shadowserver Foundation reported 580 vulnerable instances exposed online, primarily in the United States and UK. As per Binding Operational Directive (BOD) 22-01, federal agencies must address the identified vulnerabilities by the due date to protect their networks from attacks exploiting the flaws in the catalog. Private organizations are also advised to review the Catalog and address the vulnerabilities in their infrastructure. CISA has set a deadline of March 6, 2025, for federal agencies to fix this vulnerability.

Related News

• Targeted Attacks Exploit PostgreSQL Flaw Alongside BeyondTrust Zero-Day Vulnerability
• SimpleHelp RMM Vulnerabilities Exploited to Deploy Sliver Malware
• Hackers Exploit SimpleHelp RMM Software Vulnerabilities to Infiltrate Networks

Latest News

• RansomHub Emerges as Leading Ransomware Group in 2024, Impacting Over 600 Global Entities
• Targeted Attacks Exploit PostgreSQL Flaw Alongside BeyondTrust Zero-Day Vulnerability
• Critical Remote Code Execution Vulnerability Identified in WinZip: CVE-2025-1240
• Palo Alto Networks Addresses High-Severity Firewall Vulnerability Amid Active Exploits
• Russian Sandworm APT's Subgroup, BadPilot, Exploits Edge Bugs on a Global Scale