cbcvebase.
CVE-2024-57728
published 2025-01-15

CVE-2024-57728: SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file…

PriorityP185high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2026-05-08
Exploited in the wild
EPSS
7.55%
93.8th percentile
SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.

Affected

1 ranges
VendorProductVersion rangeFixed in
simple-helpsimplehelp< 5.5.85.5.8

Detection & IOCsextracted from sources · hover to see the quote

ip194.76.227[.]171
processsvchost.exe
processRemote Access.exe
  • Look for unauthorized SimpleHelp client connections to unrecognized/external SimpleHelp server IPs, particularly 194.76.227[.]171 on port 80.
  • Hunt for newly created local administrator accounts named 'sqladmin' or 'fpmhlttech' — both were created by attackers post-exploitation to maintain persistence.
  • Detect Sliver beacon (agent.exe) deployment following SimpleHelp RMM sessions; Sliver connects back to a C2 for reverse shell or command execution.
  • Detect a Cloudflare Tunnel process masquerading as Windows svchost.exe spawned from or associated with SimpleHelp RMM activity on Domain Controllers.
  • Monitor for rapid post-connection discovery commands (net, nltest, scheduled tasks/services enumeration) spawned from the SimpleHelp 'Remote Access.exe' process.
  • Alert on zip file uploads to SimpleHelp servers that contain path traversal sequences (zip slip) — crafted zip entries with '../' sequences targeting arbitrary filesystem paths.
  • Field Effect observed a command that searched for the CrowdStrike Falcon security suite during post-exploitation — monitor for enumeration of EDR/AV products from RMM-spawned processes.
  • ·CVE-2024-57728 (zip slip) requires admin-level authentication to exploit; it is most dangerous when chained with CVE-2024-57726 (privilege escalation to admin) and CVE-2024-57727 (unauthenticated file read). Patching all three together is critical.
  • ·Affected versions are SimpleHelp v5.5.7 and earlier; fixed versions are 5.5.8, 5.4.10, and 5.3.9. CISA remediation deadline for FCEB agencies is 2026-05-08.
  • ·SimpleHelp clients installed for past remote support sessions but no longer actively used represent a persistent attack surface and should be uninstalled.
  • ·As of reporting, 580 vulnerable SimpleHelp instances were exposed online (345 in the United States), indicating a broad attack surface for opportunistic exploitation.
  • ·MSP environments using SimpleHelp are at elevated risk: a single compromised SimpleHelp server can be leveraged for supply-chain-style attacks against all downstream managed customers.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.