SimpleHelp remote monitoring and management software is vulnerable to three security flaws that can lead to information disclosure, privilege escalation, and remote code execution. Tracked as CVE-2024-57726, CVE-2024-57727, & CVE-2024-57728, the vulnerabilities were disclosed by Horizon3.ai last month.
The vulnerabilities came into the news when it was observed that threat actors were exploiting them to gain initial access and maintain persistent remote access to an unspecified target network.
CISA added the CVE-2024-57727 to its Known Exploited Vulnerabilities Catalog acknowledging its active exploitation. CISA requested users to patch the flaw before March 6, 2025.
The Remote Monitoring and Management software helps Managed Service Providers (MSPs) manage their clients’ IT systems. The software allows users to monitor all the remote machines they operate.
A quick search revealed more than 15,000 targets on Fofa at the time of writing.
SimpleHelp has three primary personas: the administrator, the technician, and the customer.
- The administrator set up and configure the SimpleHelp server.
- Technicians use SimpleHelp to connect with their customers who need remote support.
- Customers are the ones asking for assistance.
CVE-2024-57726: Privilege Escalation from Technician to Server Admin
The vulnerability has a critical severity rating with a CVSS score of 9.9. If an attacker gains access as a low-privilege technician, they can further escalate their privileges to an Admin. This is because of a security flaw in which some admin functions in SimpleHelp were missing backend authorization checks. A technician can elevate their privilege to an admin using a crafted sequence of network calls. After gaining the admin privileges, an attacker can exploit the previous arbitrary file upload vulnerability to take over the SimpleHelp server.
CVE-2024-57727: Unauthenticated Path Traversal Vulnerability
The path traversal vulnerability may allow an unauthenticated attacker to download arbitrary files from the SimpleHelp server. This vulnerability severely impacts SimpleHelp data because it is stored on disk as files. Logs and configuration secrets are encrypted but with a hardcoded key.
The SimpleHelp config file serverconfig.xml in the configuration folder contains the hashed passwords for the SimpleHelpAdmin account and other local technician accounts. Based on SimpleHelp’s configuration, an attacker can gain access to various confidential files such as LDAP credentials, OIDC client secrets, API keys, and TOTP seeds used for multi-factor authentication.
CVE-2024-57728: Arbitrary File Upload to Remote Code Execution as Admin
If an attacker can log in as the SimpleHelpAdmin user or as a technician with admin privileges, they can exploit the vulnerability to upload arbitrary files anywhere on the SimpleServer host. An attacker may exploit this vulnerability by allowing Linux servers to upload a crontab file to execute remote commands. For Windows servers, an attacker could overwrite executables or libraries SimpleHelp uses to perform remote code execution.
Affected Versions
The vulnerabilities affect SimpleHelp versions 5.5.7 and earlier.
Mitigation
Customers must upgrade to SimpleHelp version 5.5.8 or later to patch the vulnerabilities.
Please refer to the SimpleHelp Security Advisory for more information.
Qualys Detection
Qualys customers can scan their devices with QIDs 732189, 152660, 152661, and 152662 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/
https://simple-help.com/kb—security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier
