Active Exploitation of Critical Vulnerability Chain in SimpleHelp

CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 can be exploited in a chain to allow full compromise of a SimpleHelp server

Threat ID:: CC-4623
Threat Severity:: Medium
Published:: 14 February 2025 2:03 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 can be exploited in a chain to allow full compromise of a SimpleHelp server

Affected platforms

The following platforms are known to be affected:

SimpleHelp

Version 5.3: all prior to 5.3.9
Version 5.4: all prior to 5.4.10
Version 5.5: all prior to 5.5.8

Threat details

Active exploitation of vulnerabilities in exploit chain

Security researchers have observed exploitation of CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 in an exploit chain. The NHS England National CSOC assesses further exploitation as highly likely.

Introduction

SimpleHelp has released security updates to address one critical and two high severity vulnerabilities in SimpleHelp. SimpleHelp is a remote monitoring and management (RMM) tool that allows administrators and service desk technicians to provide remote support and monitor devices on the network.

The three vulnerabilities can be used in an exploit chain, which could allow a remote unauthenticated attacker to execute arbitrary code, steal server configuration files and credentials, and escalate their privileges.

Vulnerability details

CVE-2024-57726 is a 'missing authorisation' vulnerability with a CVSSv3 score of 9.9. If exploited, a remote authenticated attacker could create overly permissive API keys that could be used for privilege escalation.
CVE-2024-57727 is a 'path traversal' vulnerability with a CVSSv3 score of 7.5. If exploited, a remote unauthenticated attacker could download arbitrary files from the SimpleHelp host via crafted HTTP requests, including server configuration files and credentials.
CVE-2024-57728 is a 'path traversal' vulnerability with a CVSSv3 score of 7.2. If exploited, a remote, authenticated attacker with administrator privileges could upload arbitrary files anywhere on the file system, which could allow the attacker to execute arbitrary code in the context of the SimpleHelp server user.

Remediation advice

Affected organisations are strongly encouraged to review the SimpleHelp security advisory Security Vulnerabilities in SimpleHelp 5.5.7 and earlier and apply the relevant updates as soon as practicable.

Definitive source of threat updates

https://simple-help.com/kb---security-vulnerabilities-01-2025

CVE Vulnerabilities

Status Published

CVE-2024-57726

SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.

Status Published

CVE-2024-57727

SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files include server configuration files containing various secrets and hashed user passwords.

Status Published

CVE-2024-57728

SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.

Last edited: 14 February 2025 2:03 pm