CVE-2024-57727
published 2025-01-15CVE-2024-57727: SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to…
PriorityP194high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-03-06
Exploited in the wild
EPSS
95.15%
99.9th percentile
SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files include server configuration files containing various secrets and hashed user passwords.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simple-help | simplehelp | < 5.5.8 | 5.5.8 |
Detection & IOCsextracted from sources · hover to see the quote
pathC:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access Bundle-00112084494\JWrapperTemp-1745261021-3-app\bin\windowslauncher.exe↗
commandC:\Windows\System32\vssadmin.exe 'delete' 'shadows' '/shadow={5aa57685-c258-4396-b702-6722ab58e603}↗
- →Look for the SimpleHelp 'Remote Access.exe' process communicating with unapproved/unknown SimpleHelp servers as an early indicator of compromise. ↗
- →Monitor for post-exploitation discovery commands executed via SimpleHelp RMM: 'net', 'nltest', cmd.exe spawned from the RMM process. ↗
- →Alert on creation of local administrator accounts named 'sqladmin' or 'fpmhlttech', which are attacker-created persistence accounts observed in active exploitation of CVE-2024-57727. ↗
- →Detect Sliver C2 beacon (agent.exe) deployed after SimpleHelp RMM exploitation; monitor for outbound C2 connections from agent.exe to Netherlands-based IPs. ↗
- →Detect Cloudflare Tunnel processes masquerading as Windows svchost.exe installed on Domain Controllers following SimpleHelp RMM compromise. ↗
- →Monitor for JWrapper (SimpleHelp component) executing files or modifying UAC registry keys; specifically PromptOnSecureDesktop set to false via windowslauncher.exe. ↗
- →Monitor for vssadmin delete shadows commands executed in the context of a SimpleHelp/JWrapper session, indicating ransomware pre-staging. ↗
- →Track inbound SimpleHelp RMM connections from IP 194.76.227.171 (Estonian server) on port 80 as a known attacker-controlled SimpleHelp instance. ↗
- →Threat monitoring shows 580 vulnerable SimpleHelp instances exposed online; prioritize patching to versions 5.5.8, 5.4.10, or 5.3.9 to remediate CVE-2024-57727. ↗
- ·Akira ransomware attribution for the Sliver-deploying campaign is low-confidence; Field Effect observed signs but lacked sufficient evidence for high-confidence attribution. ↗
- ·CVE-2024-57727 affects SimpleHelp v5.5.7 and earlier; fixed versions are 5.5.8, 5.4.10, and 5.3.9 released between January 8–13. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x84r-h282-g729: SimpleHelp remote support software v5
ghsa_unreviewed·2025-01-16
CVE-2024-57727 [HIGH] CWE-22 GHSA-x84r-h282-g729: SimpleHelp remote support software v5
SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files include server configuration files containing various secrets and hashed user passwords.
VulnCheck
SimpleHelp Path Traversal Vulnerability
vulncheck·2024·CVSS 7.5
CVE-2024-57727 [HIGH] CWE-22 SimpleHelp Path Traversal Vulnerability
SimpleHelp Path Traversal Vulnerability
SimpleHelp remote support software contains multiple path traversal vulnerabilities that allow unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files may include server configuration files and hashed user passwords.
Affected: SimpleHelp SimpleHelp
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://x.com/curatedintel/status/1885379463682109525?s=46&t=-dkNDSDHEzyAagaVN0SDgA; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-02-04&host_type=src&vulnerability=cve-2024-57727; https://dashboard.shadowserver.o
CISA
SimpleHelp Path Traversal Vulnerability
cisa·2025-02-13·CVSS 7.5
CVE-2024-57727 [HIGH] CWE-22 SimpleHelp Path Traversal Vulnerability
Vulnerability: SimpleHelp Path Traversal Vulnerability
Affected: SimpleHelp SimpleHelp
SimpleHelp remote support software contains multiple path traversal vulnerabilities that allow unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files may include server configuration files and hashed user passwords.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025 ; Additional CISA Mitigation Instructions: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a ; https://nvd.nist.gov/vuln/detail/CVE-2024-57727
Remediation Due Date: 2025-03-06
Suricata
ET WEB_SPECIFIC_APPS SimpleHelp Support Server Unauthenticated Path Traversal (serverconfig.xml) (CVE-2024-57727)
suricata·2025-02-03·CVSS 7.5
CVE-2024-57727 [HIGH] ET WEB_SPECIFIC_APPS SimpleHelp Support Server Unauthenticated Path Traversal (serverconfig.xml) (CVE-2024-57727)
ET WEB_SPECIFIC_APPS SimpleHelp Support Server Unauthenticated Path Traversal (serverconfig.xml) (CVE-2024-57727)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SimpleHelp Support Server Unauthenticated Path Traversal (serverconfig.xml) (CVE-2024-57727)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e 2e 2f|"; content:"serverconfig.xml"; fast_pattern; endswith; reference:url,www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/; reference:cve,2024-57727; classtype:web-application-attack; sid:2059843; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_02_03, cve CVE_2024_57727, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confid
Nuclei
SimpleHelp <= 5.5.7 - Unauthenticated Path Traversal
nuclei·CVSS 7.5
CVE-2024-57727 [HIGH] SimpleHelp <= 5.5.7 - Unauthenticated Path Traversal
SimpleHelp '
condition: and
- type: word
part: content_type
words:
- 'application/octet-stream'
# digest: 4a0a004730450221008ef1e841951d6a0007fa79864507fb5c8e33b58ed3758b8d03e00eeefdd4a7fb02203bfb7dd350f01ae7794310a3ebe9cf882384a51f3c919bd6fd640ea96ed0941b:922c64590222798bb761d5b6d8e72950
Metasploit
SimpleHelp Path Traversal Vulnerability CVE-2024-57727
metasploit·CVSS 7.5
CVE-2024-57727 [HIGH] SimpleHelp Path Traversal Vulnerability CVE-2024-57727
SimpleHelp Path Traversal Vulnerability CVE-2024-57727
There exists a path traversal vulnerability in the /toolbox-resource endpoint that enables unauthenticated remote attackers to download arbitrary files from the SimpleHelp server via crafted HTTP requests
Hackernews
INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023
blogs_hackernews·2026-06-18
CVE-2023-3519 INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023
Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023.
"The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations," Acronis researcher Darrel Virtusio said . "United States organizations account for more than 65% of listed victims, with legal services, manufacturing, construction, te
Hackernews
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
blogs_hackernews·2026-04-07·CVSS 8.8
[HIGH] China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and
Bleepingcomputer
Microsoft links Medusa ransomware affiliate to zero-day attacks
blogs_bleepingcomputer·2026-04-06·CVSS 8.8
[HIGH] Microsoft links Medusa ransomware affiliate to zero-day attacks
## Microsoft links Medusa ransomware affiliate to zero-day attacks
## Sergiu Gatlan
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."
Microsoft has also observed Storm-1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts, deploying remote monitoring and management software, stealing credentials, and disabling security software before dropping ransomware payloads.
In October, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Securelist
IT threat evolution in Q2 2025. Non-mobile statistics
blogs_securelist·2025-09-05
IT threat evolution in Q2 2025. Non-mobile statistics
Table of Contents
The quarter in numbers
Ransomware
Quarterly trends and highlights
Law enforcement success
Vulnerabilities and attacks
Mass exploitation of a vulnerability in SAP NetWeaver
Attacks via the SimpleHelp remote administration tool
Qilin exploits vulnerabilities in Fortinet
Exploitation of a Windows CLFS vulnerability
The most prolific groups
Number of new variants
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 countries and territories attacked by ransomware Trojans
TOP 10 most common families of ransomware Trojans
Miners
Number of new variants
Number of users attacked by miners
Geography of attacked users
TOP 10 countries and territories attacked by miners
Attacks on macOS
TOP 20 threats to macOS
Geography of threats t
Securelist
Desktop and IoT threat report for Q2 2025
blogs_securelist·2025-09-05
Desktop and IoT threat report for Q2 2025
Table of Contents
- The quarter in numbers
- Ransomware
- Miners
- Attacks on macOS
- IoT threat statistics
- Attacks via web resources
- Local threats
Authors
- AMR
IT threat evolution in Q2 2025. Non-mobile statistics
IT threat evolution in Q2 2025. Mobile statistics
The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data.
## The quarter in numbers
In Q2 2025:
- Kaspersky solutions blocked more than 471 million attacks originating from various online resources.
- Web Anti-Virus detected 77 million unique links.
- File Anti-Virus blocked nearly 23 million malicious and potentially unwanted objects.
- There were 1,702 new ransomwar
Talos
Talos IR ransomware engagements and the significance of timeliness in incident response
blogs_talos·2025-07-16
Talos IR ransomware engagements and the significance of timeliness in incident response
- Cisco Talos routinely responds to ransomware engagements where the impact could have been mitigated or wholly prevented if the victim organization had initiated remediation efforts earlier in the attack lifecycle. The significance of early intervention in ransomware attacks is particularly exemplified by two recent Cisco Talos Incident Response (Talos IR) ransomware engagements.
- In one incident, the victim engaged Talos IR immediately after discovering malicious activity alerts. Talos IR worked swiftly to combat additional malicious activity and prevented the execution of any encryption in the environment.
- Conversely, in a second incident, the victim ignored alerts of malicious activity and did not contact Talos IR until after the ransomware binary began to execute. Talos IR was then
Talos
Talos IR ransomware engagements and the significance of timeliness in incident response
blogs_talos·2025-07-16
Talos IR ransomware engagements and the significance of timeliness in incident response
## Talos IR ransomware engagements and the significance of timeliness in incident response
Cisco Talos routinely responds to ransomware engagements where the impact could have been mitigated or wholly prevented if the victim organization had initiated remediation efforts earlier in the attack lifecycle. The significance of early intervention in ransomware attacks is particularly exemplified by two recent Cisco Talos Incident Response (Talos IR) ransomware engagements.
In one incident, the victim engaged Talos IR immediately after discovering malicious activity alerts. Talos IR worked swiftly to combat additional malicious activity and prevented the execution of any encryption in the environment.
Conversely, in a second incident, the victim ignored alerts of malicious activity and did no
Tenable
Cybersecurity Snapshot: Tenable Report Spotlights Cloud Exposures, as Google Catches Pro-Russia Hackers Impersonating Feds
blogs_tenable·2025-06-20
Cybersecurity Snapshot: Tenable Report Spotlights Cloud Exposures, as Google Catches Pro-Russia Hackers Impersonating Feds
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
FBI: Play ransomware breached 900 victims, including critical orgs
blogs_bleepingcomputer·2025-06-04·CVSS 9.9
[CRITICAL] FBI: Play ransomware breached 900 victims, including critical orgs
## FBI: Play ransomware breached 900 victims, including critical orgs
## Sergiu Gatlan
In an update to a joint advisory with CISA and the Australian Cyber Security Centre, the FBI said that the Play ransomware gang had breached roughly 900 organizations as of May 2025, three times the number of victims reported in October 2023 .
"Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. Play ransomware was among the most active ransomware groups in 2024," the FBI warned .
"As of May 2025, FBI was aware of approximately 900 affected entities allegedly exploited by the ransomware actors."
Today's update also notes that the gang uses recompiled malware in every atta
Bleepingcomputer
DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
blogs_bleepingcomputer·2025-05-27·CVSS 9.9
CVE-2024-57727 [CRITICAL] DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
## DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
## Lawrence Abrams
The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
Sophos was brought in to investigate the attack and believe the threat actors exploited a chain of older SimpleHelp vulnerabilities tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 to breach the system.
SimpleHelp is a commercial remote support and access tool commonly used by MSPs to manage systems and deploy software across customer networks.
The report by Sophos says that the threat actors first used SimpleHelp to perform reconnaissance on customer systems,
Bleepingcomputer
Hackers exploit SimpleHelp RMM flaws to deploy Sliver malware
blogs_bleepingcomputer·2025-02-06·CVSS 9.9
CVE-2024-57726 [CRITICAL] Hackers exploit SimpleHelp RMM flaws to deploy Sliver malware
## Hackers exploit SimpleHelp RMM flaws to deploy Sliver malware
## Bill Toulas
Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks.
The flaws are tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 and were reported as potentially actively exploited by Arctic Wolf last week. However, the cybersecurity firm could not confirm for sure if the flaws were used.
Cybersecurity firm Field Effect has confirmed to BleepingComputer that the flaws are being exploited in recent attacks and released a report that sheds light on the post-exploitation activity.
Additionally, the cybersecurity researchers mention that the observed activity has signs of Akira ransomware attacks, th
Bleepingcomputer
Hackers exploiting flaws in SimpleHelp RMM to breach networks
blogs_bleepingcomputer·2025-01-28·CVSS 9.9
CVE-2024-57726 [CRITICAL] Hackers exploiting flaws in SimpleHelp RMM to breach networks
## Hackers exploiting flaws in SimpleHelp RMM to breach networks
## Bill Toulas
Hackers are believed to be exploiting recently fixed SimpleHelp Remote Monitoring and Management (RMM) software vulnerabilities to gain initial access to target networks.
The flaws, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow threat actors to download and upload files on devices and escalate privileges to administrative levels.
The vulnerabilities were discovered and disclosed by Horizon3 researchers two weeks ago. SimpleHelp released fixes between January 8 and 13 in product versions 5.5.8, 5.4.10, and 5.3.9.
Arctic Wolf now reports about an ongoing campaign targeting SimpleHelp servers that started roughly a week after Horizon3's public disclosure of the flaws.
The security comp
Greynoiseio
NoiseLetter January 2025
blogs_greynoiseio
NoiseLetter January 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlierhttps://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-57727
2025-01-15
Published
2025-02-13
Added to CISA KEV
Exploited in the wild