Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SimpleHelp vulnerability to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a SimpleHelp vulnerability, tracked as CVE-2024-57727, to its Known Exploited Vulnerabilities (KEV) catalog. At the end of January, Horizon3 researchers discovered three vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, that could be used […]

CISA BlueHammer (CVE-2026-33825)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SimpleHelp vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a SimpleHelp vulnerability, tracked as CVE-2024-57727, to its Known Exploited Vulnerabilities (KEV) catalog.

At the end of January, Horizon3 researchers discovered three vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, that could be used to compromise a SimpleHelp server, as well as clients machines being managed by SimpleHelp.

The first vulnerability, CVE-2024-57727 (CVSS score of 7.5), is an unauthenticated path traversal issue allowing attackers to download arbitrary files from the server. This includes sensitive data like the serverconfig.xml file, which contains hashed admin and technician passwords, LDAP credentials, and other secrets, all encrypted with a hardcoded key. 

On Jan. 6, 2025: Horizon3.I reported the issue to SimpleHelp, which released patch version 5.3.9 on Jan. 13, 2025.

Researchers from security firm Arctic Wolf now report that an ongoing campaign is targeting SimpleHelp servers. According to the experts, the attacks are allegedly exploiting the above vulnerabilities and began a week after their public disclosure.

Attackers could download files, upload files with admin privileges, and escalate their access to an administrative level on vulnerable servers.

“On 22 January 2025, Arctic Wolf began observing a campaign involving unauthorised access to devices running SimpleHelp RMM software as an initial access vector. Roughly a week prior to the emergence of this campaign, several vulnerabilities had been publicly disclosed in SimpleHelp by Horizon3 (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728).” reads the report published by Artic Wolf. “If a threat actor chains these vulnerabilities together and gains administrative access to a SimpleHelp server, they could theoretically use it to compromise devices running the SimpleHelp client software.”

According to Arctic Wolf, SimpleHelp’s Remote Access.exe was running before the compromise, likely from a past support session. The first sign of intrusion was communication with an unapproved SimpleHelp server. Attackers attempted to gather account and domain details via cmd.exe using tools like net and nltest but failed to act further as the session was terminated early.

To minimize risks, the experts recommend uninstalling unused SimpleHelp client software from past support sessions, rotating passwords for admin and technician accounts, and restricting IP logins on SimpleHelp servers.

The Shadowserver Foundation reported they have seen 580 vulnerable instances exposed online, mainly in the United States and UK.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 6, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SimpleHelp RMM)