CVE-2024-57728
published 2025-01-15CVE-2024-57728: SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file…
PriorityP185high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2026-05-08
Exploited in the wild
EPSS
7.55%
93.8th percentile
SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simple-help | simplehelp | < 5.5.8 | 5.5.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for unauthorized SimpleHelp client connections to unrecognized/external SimpleHelp server IPs, particularly 194.76.227[.]171 on port 80. ↗
- →Hunt for newly created local administrator accounts named 'sqladmin' or 'fpmhlttech' — both were created by attackers post-exploitation to maintain persistence. ↗
- →Detect Sliver beacon (agent.exe) deployment following SimpleHelp RMM sessions; Sliver connects back to a C2 for reverse shell or command execution. ↗
- →Detect a Cloudflare Tunnel process masquerading as Windows svchost.exe spawned from or associated with SimpleHelp RMM activity on Domain Controllers. ↗
- →Monitor for rapid post-connection discovery commands (net, nltest, scheduled tasks/services enumeration) spawned from the SimpleHelp 'Remote Access.exe' process. ↗
- →Alert on zip file uploads to SimpleHelp servers that contain path traversal sequences (zip slip) — crafted zip entries with '../' sequences targeting arbitrary filesystem paths. ↗
- →Field Effect observed a command that searched for the CrowdStrike Falcon security suite during post-exploitation — monitor for enumeration of EDR/AV products from RMM-spawned processes. ↗
- ·CVE-2024-57728 (zip slip) requires admin-level authentication to exploit; it is most dangerous when chained with CVE-2024-57726 (privilege escalation to admin) and CVE-2024-57727 (unauthenticated file read). Patching all three together is critical. ↗
- ·Affected versions are SimpleHelp v5.5.7 and earlier; fixed versions are 5.5.8, 5.4.10, and 5.3.9. CISA remediation deadline for FCEB agencies is 2026-05-08. ↗
- ·SimpleHelp clients installed for past remote support sessions but no longer actively used represent a persistent attack surface and should be uninstalled. ↗
- ·As of reporting, 580 vulnerable SimpleHelp instances were exposed online (345 in the United States), indicating a broad attack surface for opportunistic exploitation. ↗
- ·MSP environments using SimpleHelp are at elevated risk: a single compromised SimpleHelp server can be leveraged for supply-chain-style attacks against all downstream managed customers. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
SimpleHelp Remote Support Software up to 5.5.7 ZIP File unrestricted upload (EUVD-2024-53726 / Nessus ID 233191)
vuldb·2026-05-14·CVSS 7.2
CVE-2024-57728 [HIGH] SimpleHelp Remote Support Software up to 5.5.7 ZIP File unrestricted upload (EUVD-2024-53726 / Nessus ID 233191)
A vulnerability was found in SimpleHelp Remote Support Software up to 5.5.7. It has been declared as critical. Impacted is an unknown function of the component ZIP File Handler. Such manipulation leads to unrestricted upload.
This vulnerability is listed as CVE-2024-57728. The attack may be performed from remote. In addition, an exploit is available.
GHSA
GHSA-mchm-7mqx-7299: SimpleHelp remote support software v5
ghsa_unreviewed·2025-01-16
CVE-2024-57728 [HIGH] CWE-22 GHSA-mchm-7mqx-7299: SimpleHelp remote support software v5
SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.
VulnCheck
SimpleHelp SimpleHelp Improper Link Resolution Before File Access ('Link Following')
vulncheck·2024·CVSS 7.2
CVE-2024-57728 [HIGH] SimpleHelp SimpleHelp Improper Link Resolution Before File Access ('Link Following')
SimpleHelp SimpleHelp Improper Link Resolution Before File Access ('Link Following')
SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.
Affected: SimpleHelp SimpleHelp
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://x.com/MsftSecIntel/status/1912906407239655833; https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/; http
CISA
SimpleHelp Path Traversal Vulnerability
cisa·2026-04-24·CVSS 7.2
CVE-2024-57728 [HIGH] CWE-22 SimpleHelp Path Traversal Vulnerability
Vulnerability: SimpleHelp Path Traversal Vulnerability
Affected: SimpleHelp SimpleHelp
SimpleHelp contains a path traversal vulnerability that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier ; https://nvd.nist.gov/vuln/detail/CVE-2024-57728
Remediation Due Date: 2026-05-08
No detection rules found.
No public exploits indexed.
Hackernews
CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
blogs_hackernews·2026-04-25·CVSS 9.9
CVE-2024-57726 [CRITICAL] CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added four vulnerabilities impacting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.
The list of vulnerabilities is below -
CVE-2024-57726 (CVSS score: 9.9) - A missing authorization vulnerability in SimpleHelp that could allow low-privileged technicians to create API keys with excessive permissions, which can then be used to escalate privileges to the server admi
Hackernews
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
blogs_hackernews·2026-04-07·CVSS 8.8
[HIGH] China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and
Bleepingcomputer
Microsoft links Medusa ransomware affiliate to zero-day attacks
blogs_bleepingcomputer·2026-04-06·CVSS 8.8
[HIGH] Microsoft links Medusa ransomware affiliate to zero-day attacks
## Microsoft links Medusa ransomware affiliate to zero-day attacks
## Sergiu Gatlan
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."
Microsoft has also observed Storm-1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts, deploying remote monitoring and management software, stealing credentials, and disabling security software before dropping ransomware payloads.
In October, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT
Securelist
IT threat evolution in Q2 2025. Non-mobile statistics
blogs_securelist·2025-09-05
IT threat evolution in Q2 2025. Non-mobile statistics
Table of Contents
The quarter in numbers
Ransomware
Quarterly trends and highlights
Law enforcement success
Vulnerabilities and attacks
Mass exploitation of a vulnerability in SAP NetWeaver
Attacks via the SimpleHelp remote administration tool
Qilin exploits vulnerabilities in Fortinet
Exploitation of a Windows CLFS vulnerability
The most prolific groups
Number of new variants
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 countries and territories attacked by ransomware Trojans
TOP 10 most common families of ransomware Trojans
Miners
Number of new variants
Number of users attacked by miners
Geography of attacked users
TOP 10 countries and territories attacked by miners
Attacks on macOS
TOP 20 threats to macOS
Geography of threats t
Securelist
Desktop and IoT threat report for Q2 2025
blogs_securelist·2025-09-05
Desktop and IoT threat report for Q2 2025
Table of Contents
- The quarter in numbers
- Ransomware
- Miners
- Attacks on macOS
- IoT threat statistics
- Attacks via web resources
- Local threats
Authors
- AMR
IT threat evolution in Q2 2025. Non-mobile statistics
IT threat evolution in Q2 2025. Mobile statistics
The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data.
## The quarter in numbers
In Q2 2025:
- Kaspersky solutions blocked more than 471 million attacks originating from various online resources.
- Web Anti-Virus detected 77 million unique links.
- File Anti-Virus blocked nearly 23 million malicious and potentially unwanted objects.
- There were 1,702 new ransomwar
Bleepingcomputer
FBI: Play ransomware breached 900 victims, including critical orgs
blogs_bleepingcomputer·2025-06-04·CVSS 9.9
[CRITICAL] FBI: Play ransomware breached 900 victims, including critical orgs
## FBI: Play ransomware breached 900 victims, including critical orgs
## Sergiu Gatlan
In an update to a joint advisory with CISA and the Australian Cyber Security Centre, the FBI said that the Play ransomware gang had breached roughly 900 organizations as of May 2025, three times the number of victims reported in October 2023 .
"Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. Play ransomware was among the most active ransomware groups in 2024," the FBI warned .
"As of May 2025, FBI was aware of approximately 900 affected entities allegedly exploited by the ransomware actors."
Today's update also notes that the gang uses recompiled malware in every atta
Bleepingcomputer
DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
blogs_bleepingcomputer·2025-05-27·CVSS 9.9
CVE-2024-57727 [CRITICAL] DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
## DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
## Lawrence Abrams
The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
Sophos was brought in to investigate the attack and believe the threat actors exploited a chain of older SimpleHelp vulnerabilities tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 to breach the system.
SimpleHelp is a commercial remote support and access tool commonly used by MSPs to manage systems and deploy software across customer networks.
The report by Sophos says that the threat actors first used SimpleHelp to perform reconnaissance on customer systems,
Bleepingcomputer
Hackers exploit SimpleHelp RMM flaws to deploy Sliver malware
blogs_bleepingcomputer·2025-02-06·CVSS 9.9
CVE-2024-57726 [CRITICAL] Hackers exploit SimpleHelp RMM flaws to deploy Sliver malware
## Hackers exploit SimpleHelp RMM flaws to deploy Sliver malware
## Bill Toulas
Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks.
The flaws are tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 and were reported as potentially actively exploited by Arctic Wolf last week. However, the cybersecurity firm could not confirm for sure if the flaws were used.
Cybersecurity firm Field Effect has confirmed to BleepingComputer that the flaws are being exploited in recent attacks and released a report that sheds light on the post-exploitation activity.
Additionally, the cybersecurity researchers mention that the observed activity has signs of Akira ransomware attacks, th
Bleepingcomputer
Hackers exploiting flaws in SimpleHelp RMM to breach networks
blogs_bleepingcomputer·2025-01-28·CVSS 9.9
CVE-2024-57726 [CRITICAL] Hackers exploiting flaws in SimpleHelp RMM to breach networks
## Hackers exploiting flaws in SimpleHelp RMM to breach networks
## Bill Toulas
Hackers are believed to be exploiting recently fixed SimpleHelp Remote Monitoring and Management (RMM) software vulnerabilities to gain initial access to target networks.
The flaws, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow threat actors to download and upload files on devices and escalate privileges to administrative levels.
The vulnerabilities were discovered and disclosed by Horizon3 researchers two weeks ago. SimpleHelp released fixes between January 8 and 13 in product versions 5.5.8, 5.4.10, and 5.3.9.
Arctic Wolf now reports about an ongoing campaign targeting SimpleHelp servers that started roughly a week after Horizon3's public disclosure of the flaws.
The security comp
https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlierhttps://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-57728https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-dragonforce
2025-01-15
Published
2026-04-24
Added to CISA KEV
Exploited in the wild