Threat Actors Exploit SimpleHelp Vulnerabilities To Access Systems

Overview of the Attack Campaign

Cybersecurity researchers have observed a new wave of attacks targeting devices running SimpleHelp, a remote management software, as part of an effort to gain initial access to compromised systems. The attacks were first detected roughly a week after SimpleHelp issued patches for multiple security vulnerabilities in its remote access platform.

According to Arctic Wolf, the campaign involves threat actors attempting to exploit these vulnerabilities to gain unauthorized access, extract credentials, and potentially take control of both SimpleHelp servers and connected client machines.

Details of the Vulnerabilities

The three security flaws, tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, pose a severe risk to organizations using SimpleHelp’s remote access solutions. These vulnerabilities allow attackers to:

• Retrieve logs and configuration files, enabling them to extract sensitive credentials.

• Log in as administrators or technicians, providing unauthorized control over the remote management platform.

• Upload and execute arbitrary code, which could lead to full system compromise.

• Elevate privileges to administrator level, allowing attackers to take over the SimpleHelp server and interact with client machines remotely.

A critical flaw in the platform’s authorization mechanisms allows users with technician-level access to escalate their privileges and seize administrative control, further amplifying the potential damage.

“If a threat actor chains these vulnerabilities together and gains administrative access to a SimpleHelp server, they could theoretically use it to compromise devices running the SimpleHelp client software,” Arctic Wolf warns.

Observed Attack Patterns

Arctic Wolf's analysis indicates that threat actors have been accessing devices through unauthorized SimpleHelp server instances. Once inside, they are leveraging their access to enumerate user accounts and gather domain information via command-line tools.

Notably, in the cases investigated, the SimpleHelp process had already been running on the targeted devices before the attack, suggesting that adversaries may be exploiting previously infected or vulnerable instances of the software. However, the remote access session was terminated before the attackers could escalate their access further.

While the exact method of initial access remains unclear, the timing of these attacks strongly suggests that adversaries are attempting to exploit the newly disclosed SimpleHelp vulnerabilities.

Mitigation and Security Recommendations

Although it is not yet confirmed whether the disclosed vulnerabilities were directly responsible for the observed campaign, Arctic Wolf strongly recommends that organizations using SimpleHelp upgrade to the latest patched versions of the server software immediately.

Security teams should take the following precautions:

• Apply security patches: Ensure that SimpleHelp servers are updated to the latest versions that address CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726.

• Restrict remote access: Limit the exposure of SimpleHelp services to the internet where possible and enforce strict authentication controls.

• Monitor SimpleHelp server logs: Watch for unusual login attempts or unauthorized remote sessions.

• Segment network access: Reduce the risk of lateral movement by restricting access to SimpleHelp servers and isolating them from sensitive systems.

Tracking and Response Efforts

On January 29, 2025, the Shadowserver Foundation reported that it has started tracking SimpleHelp instances affected by CVE-2024-57727. Their scans identified roughly 580 vulnerable instances exposed to the internet.

Encouragingly, as of January 28, at least a dozen of these instances had already been patched, according to Shadowserver’s data. However, the total number of unpatched systems remains a concern, as threat actors continue to actively scan for and exploit vulnerable SimpleHelp servers.

Conclusion

This ongoing attack campaign highlights the risks associated with unpatched remote management software and the importance of timely vulnerability disclosure and remediation. Organizations using SimpleHelp should prioritize security updates and adopt proactive threat monitoring to mitigate potential risks.

As threat actors increasingly target remote access solutions as an entry point for cyberattacks, maintaining strong security hygiene and implementing access controls are critical steps in preventing unauthorized intrusions.