CISA Warns of Critical SimpleHelp Vulnerabilities Exploited in Attacks
Key Takeaways The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding two critical vulnerabilities in SimpleHelp remote support software. The flaws,...
Key Takeaways
- The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding two critical vulnerabilities in SimpleHelp remote support software.
- The flaws, identified as CVE-2024-57726 and CVE-2024-57728, are actively being exploited by threat actors.
- Exploitation allows for privilege escalation from low-level accounts to full administrator control and arbitrary code execution on the host server.
- All organizations utilizing SimpleHelp are urged to apply vendor-provided patches and mitigations immediately to prevent compromise.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning regarding two actively exploited vulnerabilities within SimpleHelp remote support software. These security weaknesses pose a significant risk, as remote access tools are prime targets for cybercriminals seeking direct entry into organizational networks. When compromised, such platforms enable attackers to bypass traditional security measures, paving the way for further malicious activities and potentially devastating secondary attacks.
Table Of Content
Organizations leveraging SimpleHelp are advised to take immediate and decisive action to fortify their infrastructure against potential exploitation.
Missing Authorization Flaw (CVE-2024-57726)
The first critical vulnerability, CVE-2024-57726, is categorized as a missing authorization issue, falling under CWE-862. This flaw fundamentally undermines the role-based access controls inherent to the SimpleHelp platform. It permits low-privileged technicians to circumvent established restrictions and generate API keys endowed with excessive permissions. Through successful exploitation of this weakness, a compromised low-level account can rapidly escalate its privileges to assume the role of a server administrator. Such elevated access grants attackers complete administrative command over the remote support environment and all client machines connected to it.
Path Traversal Vulnerability (CVE-2024-57728)
The second vulnerability, CVE-2024-57728, is a dangerous path traversal flaw, identified with CWE-22. Often referred to as a “zip slip” attack, this exploit enables an authenticated administrator to upload specially crafted zip files to any location on the underlying file system. Although administrative access is typically required to trigger this bug, attackers can readily chain it with the aforementioned authorization vulnerability to acquire the necessary permissions. Once a malicious payload is uploaded, threat actors can execute arbitrary code on the host server. This code operates within the security context of the SimpleHelp user, providing hackers with a firm foothold for lateral movement across the network.
CISA officially added both security flaws to its Known Exploited Vulnerabilities (KEV) catalog on April 24, 2026. Given the active exploitation of these vulnerabilities, CISA has mandated a strict remediation deadline of May 8, 2026. While it remains unconfirmed whether ransomware groups are currently leveraging these specific exploits, the severe nature of the threat necessitates immediate attention. Security teams must prioritize patching and securing their remote access infrastructure to prevent unauthorized system takeovers.
What You Should Do
- Apply all available mitigations and software updates as detailed in the official SimpleHelp vendor instructions.
- Adhere to applicable BOD 22-01 guidance for securing connected cloud services and external infrastructure.
- Actively monitor network logs for any unusual API key generation or suspicious file uploads originating from the SimpleHelp server.
- If mitigations are not available, discontinue product usage entirely and disconnect it from the network.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.