ICS Labs Outbreak Alert -SimpleHelp Support Software Attack

CVE-2024-57727 is a critical vulnerability that allows malicious actors to access and download arbitrary files from a server without authentication, requiring only an HTTP request. This flaw was identified in SimpleHelp, a remote monitoring and management software. The exposed files may contain highly sensitive information, including server configuration data, administrator passwords, API keys, and other credentials. These exploits affect SimpleHelp version 5.5.7 and all earlier versions, with the root cause being improper input validation, allowing attackers to manipulate file paths and access files outside of their intended directories.

According to a Cybersecurity Advisory published by CISA, multiple ransomware groups have exploited these SimpleHelp vulnerabilities to achieve remote code execution.

Recent Updates:

• January 22, 2025: Arctic Wolf began observing a campaign involving unauthorized access to devices using SimpleHelp as an initial access vector.

• February 13, 2025: This vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog.

• May 29, 2025: FortiGuard Labs published a Threat Signal Report regarding the SimpleHelp vulnerability.

• June 4, 2025: Play Ransomware was observed exploiting CVE-2024-57727.

• June 12, 2025: CISA released an advisory titled: Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider.