Executive Summary

On January 15^th, multiple vulnerabilities were reported in SimpleHelp’s Remote Support Software product. One of the vulnerabilities, CVE-2024-57727, would allow successful attackers to access arbitrary files on a victim’s server, including sensitive configuration files containing passwords.

On February 13^th, malicious threat actors were observed using this vulnerability, prompting CISA to add it to their Known Exploited Vulnerability (KEV) list. On February 25^th, an exploit module was released to the publicly available penetration testing framework Metasploit with accompanying proof-of-concept (PoC) code.

Threat actors have targeted SimpleHelp Remote Support software in the past to execute attacks, such as this example where Iranian threat actors used the platform to maintain persistent access to compromised systems. Given the ease of remote exploitation regarding the recent vulnerabilities and the freely available off-the-shelf exploit tools, Beazley Security recommends impacted organizations patch software immediately.

Affected Systems or Products

SimpleHelp Remote Support Server versions earlier than 5.5.7 are vulnerable to a directory traversal vulnerability that allows sensitive configuration information to be leaked. Please see the table below and mitigations section for guidance on how to mitigate this vulnerability.

Mitigations / Workarounds

SimpleHelp has released new versions of software to mitigate this vulnerability. Beazley Security strongly recommends that users immediately download and install the latest version of software and change passwords for technician accounts, especially the default SimpleHelpAdmin user, if enabled. We also recommend the following actions:

• 

  Disable the default SimpleHelpAdmin technician account and leverage purpose-built technician accounts, preferably using a third-party authentication service such as Active Directory to manage access to SimpleHelp admin systems.

• 

  If possible, limit network access to the SimpleHelp server by restricting access to trusted networks that only expected, authorized technicians and admins would log in from.

• 

  Review any exposed, vulnerable server and systems managed by SimpleHelp services for signs of unauthorized access.

To manage technician accounts, SimpleHelp has made available this administrator guide with steps to harden the SimpleHelp configuration. This includes instructions on how to disable the default SimpleHelpAdmin account.

Patches

SimpleHelp has provided an update to patch the most critical directory traversal vulnerability impacting SimpleHelp’s Remote Support software, CVE-2024-57727, and two other vulnerabilities disclosed at the same time, CVE-2024-57726 and CVE-2024-57728. The latest version of SimpleHelp software can be obtained from the vendor’s download page.

Upgrade instructions for server versions v5.5.8 or later are available on the SimpeHelp administrative page.

Indicators of Compromise

At the time of this writing, there have not been any indicators of compromise publicly released by SimpleHelp.

Per research done by HORIZON3.ai, the running version of SimpleHelp can be detected by browsing to <serverip>/allversions url of the server, with versions 5.5.7 or lower likely being vulnerable:

Figure 1: SimpleHelp version listing

We recommend that any vulnerable SimpleHelp servers and systems managed within SimpleHelp be reviewed for unexpected or unauthorized access.

Technical Details

A vulnerability in SimpleHelp server versions 5.5.7 and prior (CVE-2024-57727) permits a directory traversal attack, which if successfully exploited allows an unauthenticated attacker to arbitrarily download files from SimpleHelp. In an article by HORIZON3.ai, this traversal vulnerability is considered most critical as it could allow leaking sensitive SimpleHelp configuration information.

Because SimpleHelp keeps its configuration files on disk, it is trivial for an attacker to exploit this vulnerability and download these sensitive files to extract user accounts and credentials. The exploit made available in the Metasploit framework specifically targets the location of this configuration file, serverconfig.xml, within the default configuration folder:

Figure 2: Metasploit SimpleHealth path traversal

If successful, credentials and other sensitive system environment information could be extracted from the downloaded configuration to compromise the server.

Given technician credentials can often be used to connect to the server, and systems remotely managed within the server interface, leaked configurations could result in further lateral movement within the SimpleHelp managed ecosystem.

In addition to the directory traversal vulnerability that can leak sensitive configuration, two other vulnerabilities were published:

• 

  CVE-2024-55726 allows privilege escalation from a technician to server admin by creating API keys with excessive permissions.

• 

  CVE-2024-55728 allows arbitrary file upload and remote code execution as a user with the escalated server admin privileges.

Chained together, these vulnerabilities have potential to result in complete server compromise.

How Beazley Security is responding

Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations to remediate any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

Sources

• 

  https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier

• 

  https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/

• 

  https://www.cve.org/CVERecord?id=CVE-2024-57726

• 

  https://www.cve.org/CVERecord?id=CVE-2024-57728

• 

  https://www.cve.org/CVERecord?id=CVE-2024-57727