Three Flaws, One Attack Chain: How SimpleHelp Became Ransomware's Favourite MSP Gateway

A trio of vulnerabilities in SimpleHelp remote support software — chained together in a sequence that requires no privileged access to initiate — has enabled confirmed ransomware campaigns against managed service providers and critical infrastructure, with government agencies warning the threat remains active and ongoing well into 2026.

The flaws, tracked as CVE-2024-57727, CVE-2024-57726, and CVE-2024-57728, affect all SimpleHelp versions through 5.5.7 and were patched in January 2025. Despite available fixes, exploitation accelerated throughout the first half of 2025 — and CISA's own escalating response, adding a second CVE from the chain to its Known Exploited Vulnerabilities catalog in April 2026, signals that the campaign is far from finished. The DragonForce ransomware group, Play ransomware affiliates, and at least one unnamed actor targeting utility-sector software providers have all been linked to active campaigns exploiting the chain.

The Chain That Makes It Work

Understanding why these flaws are so dangerous requires understanding how they interlock. Each vulnerability is significant in isolation; together they form an end-to-end kill path from the public internet to every machine an MSP manages.

Internet-facing SimpleHelp server (≤ v5.5.7)
serverconfig.xml delivered to attacker
Contains: hashed passwords, LDAP creds,
OIDC secrets, API keys, TOTP seeds
Authenticated session established
(SimpleHelpAdmin or low-priv technician)
Server Admin access achieved
RCE on SimpleHelp host
Linux: crontab drop / Windows: DLL overwrite
Pivot via RMM
Push malware to ALL managed endpoints
CVE-2024-57727 — Unauthenticated path traversal
GET /toolbox-resource/../secmsg/../../configuration/serverconfig.xml
Offline hash crack
(SHA-1 / UTF-16-BE — trivially crackable)
or LDAP credential reuse
CVE-2024-57726 — Privilege escalation
Technician calls admin API endpoints
with no backend authorisation checks
CVE-2024-57728 — Zip slip file upload
Admin uploads crafted ZIP with path-traversal filenames
Writes arbitrary files to host filesystem

CVE-2024-57727 (CVSS 7.5 High) is the entry point — and the most operationally important of the three. It allows an unauthenticated attacker to traverse the server's directory structure via a crafted HTTP request and download arbitrary files. The target of choice is serverconfig.xml, which contains hashed administrative credentials, LDAP bind passwords, OIDC client secrets, API keys, and TOTP seeds used for multi-factor authentication. Notably, SimpleHelp's on-disk encryption of these files uses a hardcoded key, rendering it ineffective once the file is in an attacker's hands.

The hash algorithm used for stored passwords — SHA-1 applied in a variant that does not properly salt credentials — can be cracked offline with a custom wordlist in a matter of minutes. That cracked password, or any reused LDAP credential found in the same file, becomes the ticket to an authenticated session.

CVE-2024-57726 (CVSS 9.9 Critical) handles the elevation phase. If an attacker logs in as a low-privilege technician rather than as a full administrator, missing backend authorisation checks on certain admin API endpoints allow that technician to promote themselves to server admin through a crafted sequence of network calls. The CVSS score of 9.9 — and an Exploit Prediction Scoring System (EPSS) rating of approximately 52%, indicating a greater-than-one-in-two probability of active exploitation — reflects just how severe this flaw is in practice. The elevated CVSS accounts for a scope change: an administrator in SimpleHelp's context can reach every client machine connected to the platform, not just the systems the technician was originally permitted to access. That scope change is precisely what makes MSP environments so attractive.

CVE-2024-57728 (Critical) closes the loop. Once admin access is in hand, an attacker can upload a specially crafted ZIP archive containing filenames with embedded path-traversal sequences. SimpleHelp's extraction routine follows those paths outside the intended directory, depositing attacker-controlled files anywhere on the host filesystem. On Linux systems, a crontab file placed in the right location delivers remote code execution. On Windows, overwriting executables or libraries used by SimpleHelp achieves the same result.

From that foothold on the SimpleHelp host, the attacker has something far more valuable than a single compromised server: administrative control over a remote monitoring and management tool with authenticated access to every endpoint the MSP manages.

CVE Vulnerability Summary

Fourteen Days to First Exploitation

Exploitation of the chain began just 14 days after patches were made available — a window that proved catastrophically short for many organisations that had not yet acted.

Horizon3.ai researchers discovered the three vulnerabilities in late December 2024 and disclosed them to SimpleHelp's security team on January 6, 2025. SimpleHelp released patches for the 5.5.x and 5.4.x branches on January 8 and the 5.3.x branch on January 13. CVE numbers were formally assigned on January 14.

Arctic Wolf observed the first active campaign on January 22, with threat actors conducting Active Directory enumeration against MSP-managed client organisations. By January 28, the Shadowserver Foundation had identified approximately 580 internet-exposed SimpleHelp instances running vulnerable versions, roughly 345 of them in the United States. That figure reflects public-internet exposure only; SimpleHelp instances hosted behind VPN — common among security-conscious MSPs — are not counted, making 580 a floor rather than a ceiling.

The speed of weaponisation was partially enabled by tooling. SimpleHelp's /allversions endpoint, accessible without authentication, allows any scanner to fingerprint the version running on an exposed server before launching the traversal. A Nuclei template for CVE-2024-57727 subsequently made mass scanning fully automated.

CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities catalog on February 13, 2025, setting a remediation deadline of March 6 for federal agencies and explicitly flagging the vulnerability as associated with ransomware use. CVE-2024-57726 — the privilege escalation flaw — was subsequently added to the KEV catalog on April 24, 2026, with a May 8 due date, reflecting continued and confirmed active exploitation more than a year after patching. CVE-2024-57728, the zip-slip file upload flaw, has also been listed in KEV, underscoring that the full chain remains operationally relevant. The staggered additions reflect the architecture of the chain itself: the path traversal is the unauthenticated entry point, the privilege escalation enables the most dangerous scope change, and the file upload requires the highest prior access level to reach.

DragonForce, Play, and a Utility Sector Disruption

The confirmed impact has been broad. In the most detailed case study available, Sophos MDR investigated an attack in which DragonForce ransomware actors gained access to an unnamed MSP's SimpleHelp RMM instance and used it to push a SimpleHelp installer to client endpoints — blending attacker activity with legitimate IT operations to avoid detection. The actors conducted reconnaissance across the entire managed estate, harvesting device names, configuration data, user lists, and network connection information before deploying ransomware and exfiltrating data in a double-extortion campaign.

One client, enrolled in Sophos MDR with endpoint protection deployed, had the attack blocked before encryption. The MSP itself and clients without equivalent coverage were not protected. Sophos described DragonForce as an advanced ransomware-as-a-service brand that emerged in mid-2023 and has in 2025 rebranded itself as a "cartel," offering affiliates a white-label model and claiming to absorb the infrastructure of RansomHub. Well-known affiliates operating under Scattered Spider tactics — the group behind the 2023 Caesars Entertainment and MGM Resorts attacks — have reportedly used DragonForce payloads in subsequent campaigns.

A joint advisory issued by the FBI, CISA, and the Australian Signals Directorate on June 4, 2025 linked Play ransomware affiliates to exploitation of the SimpleHelp chain as an initial access vector. A separate CISA advisory published June 12 — AA25-163A — documented a ransomware intrusion against a utility billing software provider whose downstream customers experienced service disruptions as a result.

"Ransomware actors likely exploited CVE-2024-57727 to access downstream customers' unpatched SimpleHelp RMM, resulting in service disruptions and double extortion incidents." — CISA Advisory AA25-163A, June 2025

CISA characterised the incident as part of "a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025."

Why Remote Support Tools Keep Getting Hit

The structural risk is not unique to SimpleHelp. Remote monitoring and management platforms are high-value targets precisely because of their authorised, trusted reach.

"A single compromise of a SimpleHelp server could yield intrusions across multiple supported organizations." — Arctic Wolf, January 2025

The same logic drove REvil's July 2021 attack on Kaseya VSA, which cascaded through approximately 1,500 downstream MSP client organisations. It drove LockBit affiliates' exploitation of ConnectWise ScreenConnect vulnerabilities CVE-2024-1708 and CVE-2024-1709 in February 2024. It drove the December 2024 nation-state breach of BeyondTrust, which was used by Chinese state-sponsored actors to compromise the US Treasury Department — a breach the Department disclosed directly to the Senate Banking Committee in a letter dated December 30, 2024. In each case, the attacker's leverage came not from the value of the RMM server itself but from the trusted, authenticated relationships it held with everything downstream.

Horizon3.ai, the team that discovered the SimpleHelp flaws, noted in its disclosure that "SimpleHelp, like other remote access tools, is a tool that has been known to have been abused by threat actors. There's a chance the vulnerabilities disclosed here are already well known" — a pointed suggestion that exploitation may have preceded the public patch by an unknown period. Iranian APT group MuddyWater has separately been documented using SimpleHelp for persistence and detection evasion, underscoring that abuse of the platform extends beyond ransomware actors.

Defender Action: What to Do Now

Organisations running SimpleHelp should treat unpatched instances as actively compromised until upgraded.

Patch targets:

Version can be verified via the unauthenticated /allversions endpoint or the HTTP Server header — the same method attackers use to screen targets before launching CVE-2024-57727.

Post-patch hardening steps from the vendor:

1. Disable the default SimpleHelpAdmin account and replace it with a named administrator account.
2. Disable local technician logins and require LDAP or Active Directory authentication.
3. Rotate all credentials — admin password, all technician passwords, and LDAP bind credentials.
4. Restrict server console access to whitelisted IP ranges for known technician locations.
5. Enable server event alerting for admin logins, failed login attempts, and configuration changes.
6. Audit serviceconfig.xml on all registered endpoints for unauthorised ServerAddresses entries.
7. Uninstall SimpleHelp clients left behind by third-party support sessions that are no longer needed.

Detection — server log strings to hunt:

[WebDownloaderServer] Request for resource /toolbox-resource/../[anydir]/../../configuration/serverconfig.xml received

Post-5.5.8 installations log active traversal scan attempts with entries prefixed:

[WebDownloadServer] Insecure request...

Behavioural IOC (Arctic Wolf): Remote Access.exe communicating with an unrecognised or unapproved SimpleHelp server URL. In the DragonForce incident, the initial detection that triggered Sophos MDR response was a suspicious installation of a SimpleHelp installer file — pushed via the compromised RMM session as if it were a routine software deployment.

CISA's advisory advises any organisation that has run a vulnerable version since January 2025 to isolate the SimpleHelp server from the internet, upgrade immediately, and notify downstream customers to undertake threat-hunting activity on their own networks. The agency's framing is unambiguous: this is not a resolved incident but an active exploitation pattern — and with CVE-2024-57726 now joining CVE-2024-57727 on the KEV list, CISA's own escalating posture signals that the window for undetected compromise among organisations that have not yet patched remains dangerously open.