Pierluigi Paganini
January 29, 2025
Horizon3 researchers discovered three vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, that could be used to compromise a SimpleHelp server, as well as clients machines being managed by SimpleHelp.
The first vulnerability, CVE-2024-57727 (CVSS score of 7.5), is an unauthenticated path traversal issue allowing attackers to download arbitrary files from the server. This includes sensitive data like the serverconfig.xml file, which contains hashed admin and technician passwords, LDAP credentials, and other secrets, all encrypted with a hardcoded key. The second bug, tracked as CVE-2024-57728 (CVSS score of 7.2), enables arbitrary file uploads, leading to remote code execution if attackers gain admin credentials. For Linux, this allows remote command execution via crontab uploads; for Windows, it enables executable overwrites. The third, CVE-2024-57726 (CVSS score of 7.2), allows privilege escalation, letting a low-privilege technician elevate to admin by exploiting missing backend authorization checks. This grants access to customer machines and makes the server vulnerable to further exploits.
On Jan. 6, 2025: Horizon3.I reported the issue to SimpleHelp, which released patch version 5.3.9 on Jan. 13, 2025.
Researchers from security firm Arctic Wolf now report that an ongoing campaign is targeting SimpleHelp servers. According to the experts, the attacks are allegedly exploiting the above vulnerabilities and began a week after their public disclosure.
Attackers could download files, upload files with admin privileges, and escalate their access to an administrative level on vulnerable servers.
“On 22 January 2025, Arctic Wolf began observing a campaign involving unauthorised access to devices running SimpleHelp RMM software as an initial access vector. Roughly a week prior to the emergence of this campaign, several vulnerabilities had been publicly disclosed in SimpleHelp by Horizon3 (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728).” reads the report published by Artic Wolf. “If a threat actor chains these vulnerabilities together and gains administrative access to a SimpleHelp server, they could theoretically use it to compromise devices running the SimpleHelp client software.”
According to Arctic Wolf, SimpleHelp’s Remote Access.exe was running before the compromise, likely from a past support session. The first sign of intrusion was communication with an unapproved SimpleHelp server. Attackers attempted to gather account and domain details via cmd.exe using tools like net and nltest but failed to act further as the session was terminated early.
To minimize risks, the experts recommend uninstalling unused SimpleHelp client software from past support sessions, rotating passwords for admin and technician accounts, and restricting IP logins on SimpleHelp servers.
The Shadowserver Foundation reported they have seen 580 vulnerable instances exposed online, mainly in the United States and UK.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SimpleHelp RMM)
