cbcvebase.
CVE-2024-57727
published 2025-01-15

CVE-2024-57727: SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to…

PriorityP194high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-03-06
Exploited in the wild
EPSS
95.15%
99.9th percentile
SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files include server configuration files containing various secrets and hashed user passwords.

Affected

1 ranges
VendorProductVersion rangeFixed in
simple-helpsimplehelp< 5.5.85.5.8

Detection & IOCsextracted from sources · hover to see the quote

ip194.76.227.171
othersqladmin
processRemote Access.exe
pathC:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00112084494\JWrapperTemp-1745261021-3-app\bin\windowslauncher.exe
registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
commandC:\Windows\System32\vssadmin.exe 'delete' 'shadows' '/shadow={5aa57685-c258-4396-b702-6722ab58e603}
  • Look for the SimpleHelp 'Remote Access.exe' process communicating with unapproved/unknown SimpleHelp servers as an early indicator of compromise.
  • Monitor for post-exploitation discovery commands executed via SimpleHelp RMM: 'net', 'nltest', cmd.exe spawned from the RMM process.
  • Alert on creation of local administrator accounts named 'sqladmin' or 'fpmhlttech', which are attacker-created persistence accounts observed in active exploitation of CVE-2024-57727.
  • Detect Sliver C2 beacon (agent.exe) deployed after SimpleHelp RMM exploitation; monitor for outbound C2 connections from agent.exe to Netherlands-based IPs.
  • Detect Cloudflare Tunnel processes masquerading as Windows svchost.exe installed on Domain Controllers following SimpleHelp RMM compromise.
  • Monitor for JWrapper (SimpleHelp component) executing files or modifying UAC registry keys; specifically PromptOnSecureDesktop set to false via windowslauncher.exe.
  • Monitor for vssadmin delete shadows commands executed in the context of a SimpleHelp/JWrapper session, indicating ransomware pre-staging.
  • Track inbound SimpleHelp RMM connections from IP 194.76.227.171 (Estonian server) on port 80 as a known attacker-controlled SimpleHelp instance.
  • Threat monitoring shows 580 vulnerable SimpleHelp instances exposed online; prioritize patching to versions 5.5.8, 5.4.10, or 5.3.9 to remediate CVE-2024-57727.
  • ·Akira ransomware attribution for the Sliver-deploying campaign is low-confidence; Field Effect observed signs but lacked sufficient evidence for high-confidence attribution.
  • ·CVE-2024-57727 affects SimpleHelp v5.5.7 and earlier; fixed versions are 5.5.8, 5.4.10, and 5.3.9 released between January 8–13.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.