What is SimpleHelp?
SimpleHelp is a commercial Remote Monitoring and Management (RMM) and remote support software platform deployed across thousands of organizations globally since 2007. It provides cross-platform remote desktop control, unattended access, file transfer, automation scripting, and live monitoring — all run on-premises or in the cloud.
SimpleHelp is disproportionately high-value for attackers because of its MSP customer base. Managed Service Providers use SimpleHelp to manage the IT infrastructure of dozens or hundreds of downstream client organizations. Compromising one MSP's SimpleHelp server cascades directly into all of those clients' networks via trusted, authenticated channels. This is the same reason threat actors target other RMM platforms like ConnectWise ScreenConnect, Kaseya VSA, and SolarWinds.
Overview
CVE-2024-57726 is a missing authorization (CWE-862) flaw in SimpleHelp's API key management system. A low-privilege technician user can create API keys with server administrator permissions — bypassing all role-based access controls — and then use those keys to fully take over the SimpleHelp server.
This vulnerability was discovered and disclosed by the Horizon3.ai Attack Research Team in January 2025 as part of a three-CVE cluster affecting SimpleHelp v5.5.7 and earlier. Within nine days of public disclosure, multiple threat actors were actively exploiting it. The DragonForce ransomware group subsequently weaponized the full vulnerability chain in MSP supply-chain attacks that propagated ransomware to downstream client organizations.
The SimpleHelp Vulnerability Chain
CVE-2024-57726 is part of three closely related flaws discovered and disclosed together by Horizon3.ai:
| CVE | Type | CVSS | Auth Required | Impact |
|---|---|---|---|---|
| CVE-2024-57727 | Path Traversal | 7.5 | None | Read server config, harvest credentials |
| CVE-2024-57726 | Missing Authorization | 9.9 | Low (technician) | Escalate to server admin |
| CVE-2024-57728 | Zip Slip / File Upload | 7.2 | Admin | Write arbitrary files → RCE |
Full attack chain: An attacker exploits CVE-2024-57727 to read serverconfig.xml (unauthenticated), extracting hashed credentials or API keys. They then use a technician account to exploit CVE-2024-57726 and generate an admin API key. Finally, with admin access, they exploit CVE-2024-57728 to achieve remote code execution on the host.
Affected Versions
| Version Branch | Vulnerable Through | Fixed Version | Released |
|---|---|---|---|
| v5.5.x | v5.5.7 and earlier | v5.5.8 | January 8, 2025 |
| v5.4.x | v5.4.x and earlier | v5.4.10 | January 8, 2025 |
| v5.3.x | v5.3.x and earlier | v5.3.9 | January 13, 2025 |
Technical Details
The vulnerability is in SimpleHelp's API key creation endpoint. When a technician issues a POST request to /api/admin/keys, the server does not validate that the calling user actually holds the Admin role before processing the request. This missing authorization check allows any authenticated technician to:
- Send a crafted request to
/api/admin/keysspecifyingserver_adminrole permissions - Receive a valid API key with full admin privileges
- Use that key to invoke any admin-level API method: enumerate all managed systems, modify server configuration, create new accounts, and more
The Scope: Changed in the CVSS vector (S:C) reflects that a successful exploit does not just compromise the SimpleHelp server — it cascades to all client systems that server manages.
Discovery
Discovered by the Horizon3.ai Attack Research Team after identifying SimpleHelp as widely internet-exposed software with significant MSP market penetration. Horizon3.ai initiated coordinated disclosure on December 30, 2024 and published their full technical analysis alongside SimpleHelp's patches on January 13, 2025.
Exploitation Context
Initial Access Campaigns
Arctic Wolf observed the first exploitation attempts on January 22, 2025 — just nine days after Horizon3.ai's public disclosure. Attack patterns included:
- Unauthorized account enumeration via
/api/technicians - Domain reconnaissance using
cmd.exe,net, andnltestcommands from within compromised SimpleHelp sessions - Attempts to establish persistent access before defenders detected the intrusion
DragonForce MSP Supply-Chain Attacks
Sophos documented a coordinated campaign by the DragonForce ransomware-as-a-service group exploiting the SimpleHelp vulnerability chain to attack MSPs and their clients:
- Attackers gained initial access to MSP SimpleHelp servers using the CVE-2024-57726 privilege escalation
- Used SimpleHelp's built-in RMM capabilities to enumerate managed client devices and network topology
- Deployed PDQ Deploy to push ransomware payloads (including
Gaze.exe) across client networks - Installed AnyDesk for persistent interactive C2
- Created local admin accounts (
admin) for persistence after SimpleHelp cleanup - Executed credential harvesting scripts (
Get-Veeam-Creds.ps1) to steal backup credentials - Exfiltrated data before detonating ransomware across multiple client organizations simultaneously
Medusa ransomware operators also leveraged SimpleHelp vulnerabilities in Q1 2025 campaigns, targeting organizations in the UK and causing SYSTEM-level compromise across customer networks.
Exposure
Shadowserver Foundation reported approximately 580+ internet-exposed SimpleHelp instances at peak. NHS England and the Health-ISAC issued specific alerts to healthcare organizations due to targeted attacks on the sector.
Remediation
- Upgrade SimpleHelp immediately to v5.5.8, v5.4.10, or v5.3.9 depending on your version branch. Patches were released January 8–13, 2025.
- Audit API keys — review all existing API keys for unauthorized
server_adminprivileges and revoke any you did not create. - Review technician accounts — disable or remove accounts that should not exist; check for newly created admin accounts.
- Audit managed device access logs within SimpleHelp for unauthorized connections or reconnaissance activity.
- Restrict internet exposure — SimpleHelp management interfaces should not be directly internet-accessible. Use VPN or firewall restrictions.
- Review downstream client systems if your SimpleHelp deployment was potentially compromised — treat all managed endpoints as potentially accessed.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-57726 |
| Vendor / Product | SimpleHelp — SimpleHelp |
| NVD Published | 2025-01-15 |
| NVD Last Modified | 2026-04-24 |
| CVSS 3.1 Score | 9.9 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-862 — Missing Authorization |
| CISA KEV Added | 2026-04-24 |
| CISA KEV Deadline | 2026-05-08 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-12-30 | Horizon3.ai initiates contact with SimpleHelp vendor |
| 2025-01-06 | Formal vulnerability disclosure by Horizon3.ai; vendor acknowledgment |
| 2025-01-08 | SimpleHelp patches v5.5.8 and v5.4.10 released |
| 2025-01-13 | SimpleHelp patch v5.3.9 released; public disclosure by Horizon3.ai |
| 2025-01-15 | CVEs published to NVD |
| 2025-01-22 | Arctic Wolf observes active exploitation — initial access campaigns begin |
| 2025-02-01 | DragonForce ransomware group exploits vulnerabilities in MSP supply-chain attacks (Sophos) |
| 2026-04-24 | Added to CISA Known Exploited Vulnerabilities Catalog |
| 2026-05-08 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2024-57726 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| SimpleHelp Security Vulnerabilities — January 2025 | Vendor Advisory / Patch |
| Critical Vulnerabilities in SimpleHelp Remote Support Software — Horizon3.ai | Security Research |
| Arctic Wolf Observes Campaign Exploiting SimpleHelp RMM Software for Initial Access | Threat Intelligence |
| DragonForce Actors Target SimpleHelp Vulnerabilities to Attack MSP Customers — Sophos | Threat Intelligence |
| SimpleHelp RMM Multiple Vulnerabilities Analysis — Qualys ThreatPROTECT | Security Research |
| CWE-862 — Missing Authorization | Weakness Classification |