cbcvebase.
CVE-2024-57726
published 2025-01-15

CVE-2024-57726: SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions…

PriorityP194critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2026-05-08
Exploited in the wild
EPSS
9.33%
94.8th percentile
SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.

Affected

1 ranges
VendorProductVersion rangeFixed in
simple-helpsimplehelp< 5.5.85.5.8

Detection & IOCsextracted from sources · hover to see the quote

ip194.76.227[.]171
processRemote Access.exe
  • Look for unauthorized SimpleHelp client connections to unrecognized/external SimpleHelp server IPs, particularly 194.76.227[.]171 on port 80.
  • Hunt for newly created local administrator accounts named 'sqladmin' or 'fpmhlttech' — both were created by attackers post-exploitation to maintain persistence.
  • Detect a Cloudflare Tunnel process masquerading as Windows svchost.exe on Domain Controllers — used by attackers for stealthy persistence after lateral movement.
  • Monitor for discovery commands (net, nltest) executed under the SimpleHelp 'Remote Access.exe' process context, indicating post-exploitation reconnaissance.
  • Monitor for API key creation events by low-privileged technician accounts in SimpleHelp, especially keys granted server admin-level permissions — core exploitation mechanism of CVE-2024-57726.
  • Field Effect observed a command searching for the CrowdStrike Falcon security suite during the attack, suggesting attackers perform EDR enumeration for bypass planning.
  • ·Exploitation requires a low-privileged technician account on the SimpleHelp server; the vulnerability is a missing authorization check on the API key creation endpoint, not an unauthenticated flaw.
  • ·CVE-2024-57726 is chained with CVE-2024-57727 (unauthenticated file download) and CVE-2024-57728 (zip-slip file upload/RCE) in observed attacks; patching all three is required for full remediation.
  • ·Arctic Wolf's initial campaign report was medium-confidence attribution to these CVEs; Field Effect subsequently confirmed exploitation in the wild.
  • ·Fixes are available in SimpleHelp versions 5.5.8, 5.4.10, and 5.3.9; all prior versions (≤5.5.7) are vulnerable.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck9.9CRITICAL
cisa9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.