CISA Warns: SimpleHelp Vulnerabilities Actively Multiple Exploited

Two actively exploited vulnerabilities in SimpleHelp remote support software have triggered a critical alert from the Cybersecurity and Infrastructure Security Agency (CISA).

Remote access tools are highly valued targets for cybercriminals because they provide direct pathways into corporate networks.

When compromised, these platforms allow threat actors to bypass traditional security perimeters and launch devastating secondary attacks.

Organizations using SimpleHelp must take immediate action to secure their infrastructure against potential compromise.

Missing Authorization Flaw

The first critical vulnerability, CVE-2024-57726, is classified as a missing authorization issue under CWE-862.

This security gap fundamentally breaks the role-based access controls within the SimpleHelp platform.

The flaw allows low-privileged technicians to bypass intended restrictions and generate API keys with excessive permissions.

By exploiting this weakness, a compromised low-level account can quickly escalate privileges to the server administrator role.

Gaining this level of access gives attackers complete administrative control over the remote support environment and all connected client machines.

Path Traversal Vulnerability

The second vulnerability, CVE-2024-57728, is a dangerous path traversal flaw linked to CWE-22.

Often referred to as a “zip slip” attack, this exploit allows an authenticated administrator to upload specially crafted zip files anywhere on the underlying file system.

Although an attacker needs admin access to trigger this bug, they can easily chain it with the first authorization vulnerability to gain the required permissions.

Once the malicious payload is uploaded, threat actors can execute arbitrary code on the host server.

This code runs within the security context of the SimpleHelp user, giving hackers a firm foothold for lateral movement across the network.

On April 24, 2026, CISA officially added these security flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Due to the active exploitation of these flaws, CISA has established a strict remediation deadline of May 8, 2026.

While it is currently unknown whether ransomware gangs are using these specific exploits, the threat’s severity requires immediate attention.

Security teams must prioritize patching and securing their remote access infrastructure to prevent unauthorized system takeovers.

System administrators should implement the following security measures immediately:

• Apply all available mitigations and software updates provided in the official SimpleHelp vendor instructions.
• Follow applicable BOD 22-01 guidance for securing connected cloud services and external infrastructure.
• Monitor network logs for unusual API key generation or suspicious file uploads originating from the SimpleHelp server.
• Discontinue the use of the product entirely and disconnect it from the network if mitigations are unavailable.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.