Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

SimpleHelp Remote Access Software Exploited in Attacks

Threat actors have been exploiting SimpleHelp remote access software shortly after the disclosure of three vulnerabilities.

For the past week, threat actors have been observed targeting devices running SimpleHelp remote management software for initial access, Arctic Wolf reports.

The attacks started roughly a week after SimpleHelp released patches for three vulnerabilities in its remote access solutions that could allow attackers to fully compromise the server and client machines.

The three flaws, tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, could allow attackers to retrieve logs and configuration files and extract credentials, log in as administrators or technicians to upload arbitrary files and execute arbitrary code, and elevate their privileges to those of an administrator.

Missing authorization checks in certain administrator functions could allow a user with a technician role to gain administrative privileges and take over the SimpleHelp server, and then interact with client machines.

“If a threat actor chains these vulnerabilities together and gains administrative access to a SimpleHelp server, they could theoretically use it to compromise devices running the SimpleHelp client software,” Arctic Wolf notes.

The cybersecurity firm has observed threat actors accessing devices through an unapproved SimpleHelp server instance, and leveraging the session to enumerate accounts and domain information via command prompt.

According to Arctic Wolf, the SimpleHelp process had already been running on the targeted devices prior to the compromise, but the remote access session was terminated before the attack progressed further.

“While it is not confirmed that the recently disclosed vulnerabilities are responsible for the observed campaign, Arctic Wolf strongly recommends upgrading to the latest available fixed versions of the SimpleHelp server software where possible,” the cybersecurity firm notes.

Advertisement. Scroll to continue reading.

On Monday, the Shadowserver Foundation said it started tracking SimpleHelp instances impacted by CVE-2024-57727 and identified roughly 580 of them. As of January 28, at least a dozen of them have been patched, data from Shadowserver shows.

Related: Apple Patches First Exploited iOS Zero-Day of 2025

Related: Cisco Patches Critical Vulnerability in Meeting Management

Related: Resurrected jQuery UI Library Haunts Websites, Enterprise Products

Related: ‘JekyllBot:5’ Vulnerabilities Allow Remote Hacking of Hospital Robots

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.