Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Attackers exploit SimpleHelp RMM Software flaws for initial access

Threat actors exploit recently fixed SimpleHelp RMM software vulnerabilities to breach targeted networks, experts warn. Horizon3 researchers discovered three vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, that could be used to compromise a SimpleHelp server, as well as clients machines being managed by SimpleHelp. The first vulnerability, CVE-2024-57727 (CVSS score of 7.5), is an unauthenticated […]

Bitwarden

Threat actors exploit recently fixed SimpleHelp RMM software vulnerabilities to breach targeted networks, experts warn.

Horizon3 researchers discovered three vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, that could be used to compromise a SimpleHelp server, as well as clients machines being managed by SimpleHelp.

The first vulnerability, CVE-2024-57727 (CVSS score of 7.5), is an unauthenticated path traversal issue allowing attackers to download arbitrary files from the server. This includes sensitive data like the serverconfig.xml file, which contains hashed admin and technician passwords, LDAP credentials, and other secrets, all encrypted with a hardcoded key. The second bug, tracked as CVE-2024-57728 (CVSS score of 7.2), enables arbitrary file uploads, leading to remote code execution if attackers gain admin credentials. For Linux, this allows remote command execution via crontab uploads; for Windows, it enables executable overwrites. The third, CVE-2024-57726 (CVSS score of 7.2), allows privilege escalation, letting a low-privilege technician elevate to admin by exploiting missing backend authorization checks. This grants access to customer machines and makes the server vulnerable to further exploits.

On Jan. 6, 2025: Horizon3.I reported the issue to SimpleHelp, which released patch version 5.3.9 on Jan. 13, 2025.

Researchers from security firm Arctic Wolf now report that an ongoing campaign is targeting SimpleHelp servers. According to the experts, the attacks are allegedly exploiting the above vulnerabilities and began a week after their public disclosure.

Attackers could download files, upload files with admin privileges, and escalate their access to an administrative level on vulnerable servers.

“On 22 January 2025, Arctic Wolf began observing a campaign involving unauthorised access to devices running SimpleHelp RMM software as an initial access vector. Roughly a week prior to the emergence of this campaign, several vulnerabilities had been publicly disclosed in SimpleHelp by Horizon3 (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728).” reads the report published by Artic Wolf. “If a threat actor chains these vulnerabilities together and gains administrative access to a SimpleHelp server, they could theoretically use it to compromise devices running the SimpleHelp client software.”

According to Arctic Wolf, SimpleHelp’s Remote Access.exe was running before the compromise, likely from a past support session. The first sign of intrusion was communication with an unapproved SimpleHelp server. Attackers attempted to gather account and domain details via cmd.exe using tools like net and nltest but failed to act further as the session was terminated early.

To minimize risks, the experts recommend uninstalling unused SimpleHelp client software from past support sessions, rotating passwords for admin and technician accounts, and restricting IP logins on SimpleHelp servers.

The Shadowserver Foundation reported they have seen 580 vulnerable instances exposed online, mainly in the United States and UK.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SimpleHelp RMM)