CVE-2024-57726
published 2025-01-15CVE-2024-57726: SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions…
PriorityP194critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2026-05-08
Exploited in the wild
EPSS
9.33%
94.8th percentile
SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simple-help | simplehelp | < 5.5.8 | 5.5.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for unauthorized SimpleHelp client connections to unrecognized/external SimpleHelp server IPs, particularly 194.76.227[.]171 on port 80. ↗
- →Hunt for newly created local administrator accounts named 'sqladmin' or 'fpmhlttech' — both were created by attackers post-exploitation to maintain persistence. ↗
- →Detect a Cloudflare Tunnel process masquerading as Windows svchost.exe on Domain Controllers — used by attackers for stealthy persistence after lateral movement. ↗
- →Monitor for discovery commands (net, nltest) executed under the SimpleHelp 'Remote Access.exe' process context, indicating post-exploitation reconnaissance. ↗
- →Monitor for API key creation events by low-privileged technician accounts in SimpleHelp, especially keys granted server admin-level permissions — core exploitation mechanism of CVE-2024-57726. ↗
- →Field Effect observed a command searching for the CrowdStrike Falcon security suite during the attack, suggesting attackers perform EDR enumeration for bypass planning. ↗
- ·Exploitation requires a low-privileged technician account on the SimpleHelp server; the vulnerability is a missing authorization check on the API key creation endpoint, not an unauthenticated flaw. ↗
- ·CVE-2024-57726 is chained with CVE-2024-57727 (unauthenticated file download) and CVE-2024-57728 (zip-slip file upload/RCE) in observed attacks; patching all three is required for full remediation. ↗
- ·Arctic Wolf's initial campaign report was medium-confidence attribution to these CVEs; Field Effect subsequently confirmed exploitation in the wild. ↗
- ·Fixes are available in SimpleHelp versions 5.5.8, 5.4.10, and 5.3.9; all prior versions (≤5.5.7) are vulnerable. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck9.9CRITICAL
cisa9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
SimpleHelp Remote Support Software up to 5.5.7 API Key permission (EUVD-2024-53724 / Nessus ID 233191)
vuldb·2026-05-14·CVSS 9.9
CVE-2024-57726 [CRITICAL] SimpleHelp Remote Support Software up to 5.5.7 API Key permission (EUVD-2024-53724 / Nessus ID 233191)
A vulnerability categorized as critical has been discovered in SimpleHelp Remote Support Software up to 5.5.7. The impacted element is an unknown function of the component API Key Handler. Executing a manipulation can lead to permission issues.
This vulnerability is registered as CVE-2024-57726. It is possible to launch the attack remotely. Furthermore, an exploit is available.
GHSA
GHSA-8388-c89m-3x67: SimpleHelp remote support software v5
ghsa_unreviewed·2025-01-16
CVE-2024-57726 [HIGH] CWE-862 GHSA-8388-c89m-3x67: SimpleHelp remote support software v5
SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.
VulnCheck
SimpleHelp API Key Technician to Server Admin Privilege Escalation
vulncheck·2024·CVSS 9.9
CVE-2024-57726 [CRITICAL] SimpleHelp API Key Technician to Server Admin Privilege Escalation
SimpleHelp API Key Technician to Server Admin Privilege Escalation
SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.
Affected: SimpleHelp SimpleHelp
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://x.com/MsftSecIntel/status/1912906407239655833; https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/; https://socradar.io/dragonforce-exploits-simplehelp-msp-ransomware/;
CISA
SimpleHelp Missing Authorization Vulnerability
cisa·2026-04-24·CVSS 9.9
CVE-2024-57726 [CRITICAL] CWE-862 SimpleHelp Missing Authorization Vulnerability
Vulnerability: SimpleHelp Missing Authorization Vulnerability
Affected: SimpleHelp SimpleHelp
SimpleHelp contains a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57726
Remediation Due Date: 2026-05-08
No detection rules found.
No public exploits indexed.
Hackernews
CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
blogs_hackernews·2026-04-25·CVSS 9.9
CVE-2024-57726 [CRITICAL] CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added four vulnerabilities impacting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.
The list of vulnerabilities is below -
CVE-2024-57726 (CVSS score: 9.9) - A missing authorization vulnerability in SimpleHelp that could allow low-privileged technicians to create API keys with excessive permissions, which can then be used to escalate privileges to the server admi
Hackernews
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
blogs_hackernews·2026-04-07·CVSS 8.8
[HIGH] China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and
Bleepingcomputer
Microsoft links Medusa ransomware affiliate to zero-day attacks
blogs_bleepingcomputer·2026-04-06·CVSS 8.8
[HIGH] Microsoft links Medusa ransomware affiliate to zero-day attacks
## Microsoft links Medusa ransomware affiliate to zero-day attacks
## Sergiu Gatlan
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."
Microsoft has also observed Storm-1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts, deploying remote monitoring and management software, stealing credentials, and disabling security software before dropping ransomware payloads.
In October, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT
Securelist
IT threat evolution in Q2 2025. Non-mobile statistics
blogs_securelist·2025-09-05
IT threat evolution in Q2 2025. Non-mobile statistics
Table of Contents
The quarter in numbers
Ransomware
Quarterly trends and highlights
Law enforcement success
Vulnerabilities and attacks
Mass exploitation of a vulnerability in SAP NetWeaver
Attacks via the SimpleHelp remote administration tool
Qilin exploits vulnerabilities in Fortinet
Exploitation of a Windows CLFS vulnerability
The most prolific groups
Number of new variants
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 countries and territories attacked by ransomware Trojans
TOP 10 most common families of ransomware Trojans
Miners
Number of new variants
Number of users attacked by miners
Geography of attacked users
TOP 10 countries and territories attacked by miners
Attacks on macOS
TOP 20 threats to macOS
Geography of threats t
Securelist
Desktop and IoT threat report for Q2 2025
blogs_securelist·2025-09-05
Desktop and IoT threat report for Q2 2025
Table of Contents
- The quarter in numbers
- Ransomware
- Miners
- Attacks on macOS
- IoT threat statistics
- Attacks via web resources
- Local threats
Authors
- AMR
IT threat evolution in Q2 2025. Non-mobile statistics
IT threat evolution in Q2 2025. Mobile statistics
The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data.
## The quarter in numbers
In Q2 2025:
- Kaspersky solutions blocked more than 471 million attacks originating from various online resources.
- Web Anti-Virus detected 77 million unique links.
- File Anti-Virus blocked nearly 23 million malicious and potentially unwanted objects.
- There were 1,702 new ransomwar
Bleepingcomputer
FBI: Play ransomware breached 900 victims, including critical orgs
blogs_bleepingcomputer·2025-06-04·CVSS 9.9
[CRITICAL] FBI: Play ransomware breached 900 victims, including critical orgs
## FBI: Play ransomware breached 900 victims, including critical orgs
## Sergiu Gatlan
In an update to a joint advisory with CISA and the Australian Cyber Security Centre, the FBI said that the Play ransomware gang had breached roughly 900 organizations as of May 2025, three times the number of victims reported in October 2023 .
"Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. Play ransomware was among the most active ransomware groups in 2024," the FBI warned .
"As of May 2025, FBI was aware of approximately 900 affected entities allegedly exploited by the ransomware actors."
Today's update also notes that the gang uses recompiled malware in every atta
Bleepingcomputer
DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
blogs_bleepingcomputer·2025-05-27·CVSS 9.9
CVE-2024-57727 [CRITICAL] DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
## DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
## Lawrence Abrams
The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
Sophos was brought in to investigate the attack and believe the threat actors exploited a chain of older SimpleHelp vulnerabilities tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 to breach the system.
SimpleHelp is a commercial remote support and access tool commonly used by MSPs to manage systems and deploy software across customer networks.
The report by Sophos says that the threat actors first used SimpleHelp to perform reconnaissance on customer systems,
Bleepingcomputer
Hackers exploit SimpleHelp RMM flaws to deploy Sliver malware
blogs_bleepingcomputer·2025-02-06·CVSS 9.9
CVE-2024-57726 [CRITICAL] Hackers exploit SimpleHelp RMM flaws to deploy Sliver malware
## Hackers exploit SimpleHelp RMM flaws to deploy Sliver malware
## Bill Toulas
Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks.
The flaws are tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 and were reported as potentially actively exploited by Arctic Wolf last week. However, the cybersecurity firm could not confirm for sure if the flaws were used.
Cybersecurity firm Field Effect has confirmed to BleepingComputer that the flaws are being exploited in recent attacks and released a report that sheds light on the post-exploitation activity.
Additionally, the cybersecurity researchers mention that the observed activity has signs of Akira ransomware attacks, th
Bleepingcomputer
Hackers exploiting flaws in SimpleHelp RMM to breach networks
blogs_bleepingcomputer·2025-01-28·CVSS 9.9
CVE-2024-57726 [CRITICAL] Hackers exploiting flaws in SimpleHelp RMM to breach networks
## Hackers exploiting flaws in SimpleHelp RMM to breach networks
## Bill Toulas
Hackers are believed to be exploiting recently fixed SimpleHelp Remote Monitoring and Management (RMM) software vulnerabilities to gain initial access to target networks.
The flaws, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow threat actors to download and upload files on devices and escalate privileges to administrative levels.
The vulnerabilities were discovered and disclosed by Horizon3 researchers two weeks ago. SimpleHelp released fixes between January 8 and 13 in product versions 5.5.8, 5.4.10, and 5.3.9.
Arctic Wolf now reports about an ongoing campaign targeting SimpleHelp servers that started roughly a week after Horizon3's public disclosure of the flaws.
The security comp
https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlierhttps://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-57726https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-dragonforce
2025-01-15
Published
2026-04-24
Added to CISA KEV
Exploited in the wild