The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory in response to ransomware groups targeting unpatched instances of SimpleHelp Remote Monitoring and Management (RMM) software to compromise organizations.

SimpleHelp is a remote support, monitoring, and management platform designed for IT professionals and support teams. It enables technicians to remotely access, control, and maintain computers and servers—both for planned tasks and emergency troubleshooting. Typically installed on a server within an organization or managed service provider (MSP) environment, SimpleHelp establishes secure connections to client devices for updates, diagnostics, and support.

The exploited flaw, CVE-2024-57727, affects SimpleHelp versions 5.5.7 and earlier. These versions are vulnerable to multiple path traversal vulnerabilities, which allow unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. Exposed files may include server configuration files containing secrets and hashed user passwords.

Ransomware groups—including the gang known as DragonForce—have actively targeted unpatched SimpleHelp instances. Their typical attack chain is as follows:

• Scanning for exposed, unpatched SimpleHelp servers online.
• Exploiting the path traversal vulnerability (CVE-2024-57727) to steal configuration files and credentials.
• Use stolen credentials or chain additional vulnerabilities to gain administrative access to the SimpleHelp server.
• Pivot through the compromised SimpleHelp environment to access downstream customers and their networks.
• Encrypt files and exfiltrate data.

These attacks have caused significant service disruptions, particularly for organizations that rely on MSPs using SimpleHelp to manage client infrastructure. CISA and other authorities strongly urge immediate patching, isolation of exposed servers, and enhanced monitoring to mitigate ongoing threats.

Mitigation

SimpleHelp has published a guide to patch and secure SimpleHelp.

The targeting of SimpleHelp underscore the critical risk posed by unpatched RMM software—and demonstrates once again how much ransomware gangs love using RMM tools. ThreatDown Application Block can protect organizations against ransomware gangs installing legitimate but unauthorized RMM tools:

• Navigate to the ‘Monitor’ section in the Nebula console.
• Select ‘Application Block’
• Select ‘New rule’ and customize the list to include any RMM tools your organization does not use.

ThreatDown Patch Management can help you fix known software vulnerabilities automatically, before criminals exploit them.