Vulnerability Analysis

CVE-2024-57726/57728: SimpleHelp RMM Critical Privilege Escalation & Path Traversal — Ransomware Groups Are Actively Exploiting This

Executive Summary

Three chained vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software — CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 — are being actively exploited by the Medusa and DragonForce ransomware-as-a-service (RaaS) operations to breach managed service providers and their downstream customers. CISA added these to its Known Exploited Vulnerabilities (KEV) catalog on April 24, 2026, setting a federal remediation deadline. Organizations running SimpleHelp 5.5.7 or earlier must patch immediately — unauthenticated file exfiltration combined with privilege escalation to server admin gives attackers a full foothold before ransomware is ever deployed.

1. What Is This Vulnerability?

SimpleHelp is a self-hosted remote support and RMM platform widely used by managed service providers (MSPs) and IT departments. It allows technicians to remotely access and manage client endpoints. Because SimpleHelp servers often have access to hundreds or thousands of client machines, a compromise of the server has massive downstream impact.

The three CVEs form a natural attack chain:

CVE-2024-57726 — Missing Authorization (CVSS 9.9, Critical)

The most severe of the three. SimpleHelp's API key management endpoint fails to enforce authorization checks for low-privileged "Technician" accounts. A technician-level user can call the API key creation endpoint and generate a key with full server administrator privileges, bypassing the intended permission model entirely.

# Conceptual attack flow
POST /api/v1/apikeys
Authorization: Bearer <low-priv-technician-token>
{
  "name": "backdoor",
  "permissions": ["admin", "all"]    # No server-side permission check occurs
}

# Response grants an admin-scoped key — elevation complete

This is a broken access control flaw (CWE-862). The server never validates that the requesting user has the authority to create keys at the requested privilege level.

CVE-2024-57727 — Unauthenticated File Read / Information Disclosure

A path traversal vulnerability in SimpleHelp's web server allows unauthenticated attackers to read arbitrary files from the host filesystem. An attacker only needs network access to the SimpleHelp server's HTTP/HTTPS port.

# Traversal request — no authentication required
GET /files/../../etc/shadow HTTP/1.1
Host: simplehelp.victim.com

GET /files/../../../windows/system32/config/sam HTTP/1.1

This can be used to extract configuration files containing database credentials, SimpleHelp admin passwords, or OS-level password hashes — feeding directly into step 2 (CVE-2024-57726).

CVE-2024-57728 — Zip Slip / Arbitrary File Write (CVSS 7.2, High)

Once admin access is obtained (via CVE-2024-57726), this vulnerability allows uploading a maliciously crafted ZIP archive that writes files to arbitrary locations on the server filesystem. The SimpleHelp file extraction routine fails to sanitize directory traversal sequences (../) within ZIP entry names.

# Malicious ZIP construction (attacker's machine)
import zipfile, os

with zipfile.ZipFile("malicious.zip", "w") as zf:
    # Path traversal in ZIP entry name
    zf.write("shell.jsp", "../../webapps/simplehelp/shell.jsp")
    # File lands outside intended extraction directory
    # Results in a webshell deployed to the SimpleHelp web root

This achieves Remote Code Execution (RCE) on the SimpleHelp server, giving attackers an interactive shell in the context of the SimpleHelp service user — often SYSTEM on Windows deployments.

Attack Vector

The full unauthenticated-to-RCE chain:

  1. Reconnaissance: Identify publicly exposed SimpleHelp servers (Shodan, Censys)
  2. CVE-2024-57727: Read serverconfig.xml or equivalent config file without auth to harvest credentials or API tokens
  3. CVE-2024-57726: Use a compromised low-priv technician account (or harvested credentials) to escalate to server admin via unauthorized API key creation
  4. CVE-2024-57728: Upload a ZIP containing a webshell to achieve code execution on the server
  5. Lateral movement: From the SimpleHelp server, push malicious payloads to all connected client endpoints

Real-World Impact

From early 2025 through present, the Medusa and DragonForce ransomware groups weaponized this exact chain:

  • Medusa deployed PDQ Inventory and PDQ Deploy as living-off-the-land tools, using them to push "Gaze.exe" ransomware payloads across victim networks. Base64-encoded PowerShell disabled Windows Defender before encryption. RClone (renamed "lsp.exe") was used for data exfiltration.

  • DragonForce installed AnyDesk post-compromise for interactive access, created local admin accounts named "admin" for persistence, and specifically targeted backup infrastructure — executing "Get-Veeam-Creds.ps1" to extract plaintext credentials from Veeam SQL stores. Restic (configured with Wasabi S3-compatible endpoints) handled exfiltration. Encrypted files received the *.dragonforce_encrypted extension with ransom notes named "readme.txt".

Multiple UK organizations suffered confirmed ransomware incidents in Q1–Q2 2025 traceable directly to unpatched SimpleHelp servers.

2. Who Is Affected?

Component Vulnerable Versions
SimpleHelp Server All versions ≤ 5.5.7
SimpleHelp (Windows, Linux, macOS hosted) All platforms ≤ 5.5.7

Risk amplification factors:

  • SimpleHelp servers exposed directly to the internet (no VPN/firewall restriction)
  • Servers running as SYSTEM (Windows) or root (Linux/macOS)
  • Organizations with large numbers of managed endpoints connected to the server
  • MSPs where a single SimpleHelp server manages multiple customer environments

3. How to Detect It (Testing)

Manual Testing Steps

Test for CVE-2024-57727 (Unauthenticated File Read):

  • Step 1: Identify the SimpleHelp server URL and port (default: 80/443)
  • Step 2: Send an unauthenticated GET request with path traversal sequences: 
    curl -sk "https://simplehelp.yourorg.com/files/../../etc/passwd"
curl -sk "https://simplehelp.yourorg.com/files/../serverconfig.xml"
  • Step 3: If the response contains file contents (e.g., /etc/passwd entries or XML config data), the server is vulnerable

Test for CVE-2024-57726 (Missing Authorization):

  • Step 1: Log in as a low-privileged Technician account
  • Step 2: Attempt to call the API key creation endpoint with elevated permission scope
  • Step 3: If the server returns a valid API key without rejecting the elevated scope, the endpoint is vulnerable to privilege escalation

Check version:

# Retrieve the SimpleHelp version from the about/version endpoint
curl -sk "https://simplehelp.yourorg.com/api/version"
# Or check the admin dashboard: Admin > About > Version

Automated Scanning

Tool: Nuclei (Project Discovery)

# Search for SimpleHelp-specific templates
nuclei -u https://simplehelp.yourorg.com \
  -tags simplehelp \
  -severity critical,high

# General path traversal check
nuclei -u https://simplehelp.yourorg.com \
  -t path-traversal/ \
  -severity critical,high

Tool: Nessus / Tenable

  • Search the plugin database for "SimpleHelp" — Tenable released dedicated plugins for these CVEs
  • Run plugin 304404 (SimpleHelp) against the server

Tool: Shodan / Censys (exposure check)

# Identify your SimpleHelp instances exposed to the internet
shodan search "SimpleHelp" org:"YourOrganization"
censys search 'services.http.response.headers.server: "SimpleHelp"'

Code Review / Configuration Checklist

  • Confirm SimpleHelp server version is 5.5.8 or later
  • Verify SimpleHelp is not exposed directly to the internet without VPN/firewall restriction
  • Audit all API keys in Admin > API Keys — revoke any unrecognized or overprivileged keys
  • Review Technician account list for unrecognized accounts
  • Check firewall/access logs for GET requests containing ../ sequences to the SimpleHelp port
  • Confirm SimpleHelp service user is NOT running as SYSTEM/root (run as least-privilege service account)

4. How to Fix It (Mitigation)

Step-by-Step Remediation

  1. Immediately update SimpleHelp to version 5.5.8 or later

  2. Revoke all existing API keys and re-issue only those that are needed

    Admin Panel > Configuration > API Keys > Delete All > Re-create required keys

  3. Restrict network access — SimpleHelp should not be exposed directly to the internet

    # UFW example: allow SimpleHelp only from trusted IP ranges
ufw allow from 10.0.0.0/8 to any port 80
ufw allow from 10.0.0.0/8 to any port 443
ufw deny 80
ufw deny 443

  4. Audit Technician accounts — remove any accounts not recognized or no longer needed

    • Admin Panel > Technicians > review all accounts
    • Reset passwords for all retained accounts

  5. Change the SimpleHelp service account from SYSTEM/root to a dedicated least-privilege service account:

    # Windows: create a restricted service account
New-LocalUser -Name "simplehelp_svc" -NoPassword
# Assign only necessary file system permissions
icacls "C:\Program Files\SimpleHelp" /grant "simplehelp_svc:(OI)(CI)RX"

  6. Enable Web Application Firewall (WAF) rules to block path traversal patterns targeting the SimpleHelp URL path

Code Fix Example (What SimpleHelp 5.5.8 Addressed)

Before (vulnerable): API key creation endpoint accepted any permission scope from the requesting token without validating whether the caller had authority to grant those permissions.

After (patched): Server validates that the permission set requested for the new API key is a strict subset of the permissions held by the requesting user's token. Attempts to escalate result in HTTP 403.

ZIP extraction — Before (vulnerable):

// Pseudo-code of vulnerable extraction
for (ZipEntry entry : zip.entries()) {
    File destFile = new File(destDir, entry.getName()); // No traversal check!
    extractTo(destFile, entry);
}

ZIP extraction — After (patched):

for (ZipEntry entry : zip.entries()) {
    File destFile = new File(destDir, entry.getName());
    // Canonical path check prevents traversal
    if (!destFile.getCanonicalPath().startsWith(destDir.getCanonicalPath() + File.separator)) {
        throw new SecurityException("ZIP slip attempt detected: " + entry.getName());
    }
    extractTo(destFile, entry);
}

Configuration Hardening

# SimpleHelp server.properties hardening recommendations

# Bind to localhost only if behind a reverse proxy
server.bind.address=127.0.0.1

# Restrict file upload size to limit ZIP bomb/slip payloads
server.max.upload.size=52428800   # 50MB limit

# Enable audit logging
server.audit.log.enabled=true
server.audit.log.path=/var/log/simplehelp/audit.log

5. How to Test the Fix (Validation)

Regression Test Scenarios

  • Scenario A: After upgrading to 5.5.8, repeat the CVE-2024-57727 path traversal curl requests — confirm the server returns 400 or 403 instead of file contents
  • Scenario B: Log in as a Technician-level account and attempt to create an API key with admin scope — confirm the server returns 403 Forbidden
  • Scenario C: Attempt to upload a crafted ZIP file containing ../ traversal paths — confirm extraction is rejected with an error and no files appear outside the intended directory
  • Scenario D: Verify all legitimate RMM functionality (remote session, file transfer, script execution) continues to work correctly for authorized users

Security Test Cases

Test Case 1: Verify path traversal (CVE-2024-57727) is remediated

  • Precondition: SimpleHelp upgraded to 5.5.8+
  • Steps: 
    curl -sk "https://simplehelp.yourorg.com/files/../../etc/passwd"
  • Expected result: HTTP 400 or 403, no file contents returned

Test Case 2: Verify privilege escalation (CVE-2024-57726) is blocked

  • Precondition: SimpleHelp upgraded to 5.5.8+, Technician account available
  • Steps: Authenticate as Technician, send API key creation request with admin scope
  • Expected result: HTTP 403 Forbidden

Test Case 3: Verify ZIP slip (CVE-2024-57728) is blocked

  • Precondition: SimpleHelp upgraded to 5.5.8+, admin account available
  • Steps: Upload a ZIP file with an entry named ../../test_traversal.txt
  • Expected result: Upload rejected or extraction refused with security error; no file created outside the destination directory

Automated Validation Test

import requests, zipfile, io, sys

TARGET = "https://simplehelp.yourorg.com"

def test_path_traversal():
    r = requests.get(f"{TARGET}/files/../../etc/passwd", verify=False, timeout=10)
    assert r.status_code in [400, 403, 404], f"FAIL: Got {r.status_code} — possible traversal still open"
    assert "root:" not in r.text, "FAIL: /etc/passwd contents returned — CVE-2024-57727 NOT patched"
    print("[PASS] CVE-2024-57727 path traversal blocked")

def test_zip_slip(session):
    buf = io.BytesIO()
    with zipfile.ZipFile(buf, "w") as zf:
        zf.writestr("../../test_traversal_sentinel.txt", "pwned")
    buf.seek(0)
    r = session.post(f"{TARGET}/admin/upload", files={"file": ("test.zip", buf, "application/zip")}, verify=False)
    assert r.status_code in [400, 403, 500], f"FAIL: Upload returned {r.status_code} — check if traversal was allowed"
    print("[PASS] CVE-2024-57728 ZIP slip upload blocked or rejected")

if __name__ == "__main__":
    test_path_traversal()
    # Add authenticated session setup before calling test_zip_slip
    print("Validation complete — review results above")

6. Prevention & Hardening

Best Practices

  • Segment RMM access behind a VPN: SimpleHelp (and all RMM platforms) should never be directly internet-exposed. Require VPN authentication before the SimpleHelp login page is even reachable.
  • Apply the principle of least privilege to Technician accounts: Grant only the access levels genuinely needed; regularly audit account lists.
  • Patch RMM software on a rapid cadence: RMM platforms are high-value targets precisely because they have access to all managed endpoints. Treat RMM software patches as emergency-class updates.
  • Monitor for unauthorized API key creation: Alert on any new API key created outside a defined change window.
  • Run SimpleHelp as a non-privileged service account: If the server is compromised, limiting the process privilege limits what attackers can do on the host OS.

Monitoring & Detection

Watch for the following indicators in logs and SIEM:

# Indicators of Compromise (IOCs)

# CVE-2024-57727 exploitation attempts (path traversal in access logs)
GET /files/..%2F..%2Fetc%2Fpasswd
GET /files/../../serverconfig.xml
GET /files/../../../windows/system32/config/sam

# Post-exploitation tools (file names observed in DragonForce/Medusa campaigns)
Get-Veeam-Creds.ps1       # Credential harvesting from Veeam
netscan.exe               # Network reconnaissance
lsp.exe                   # RClone renamed for evasion (Medusa)
Gaze.exe                  # Medusa ransomware payload
*.dragonforce_encrypted   # DragonForce encrypted file extension
readme.txt (ransom note)  # DragonForce ransom note

# Suspicious account creation (lateral movement persistence)
net user admin /add
New-LocalUser -Name "admin"

SIEM detection rule (Sigma format):

title: SimpleHelp Path Traversal Attempt
status: stable
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '../'
            - '..%2F'
            - '..%5C'
        cs-uri-stem|contains: '/files/'
    condition: selection
level: high
tags:
    - attack.initial_access
    - cve.2024.57727

Endpoint telemetry — watch for:

  • AnyDesk installation on servers (post-compromise persistence)
  • Restic or RClone processes initiating large outbound transfers
  • PowerShell executing base64-encoded commands touching Defender exclusions
  • New local administrator account creation ("admin") outside change management

References

Latest from the blog

See all →