Ransomware operators are exploiting a SimpleHelp vulnerability in attacks targeting the customers of a utility billing software provider, the US cybersecurity agency CISA warns.
The exploited bug, tracked as CVE-2024-57727 (CVSS score of 7.5), allows attackers to retrieve sensitive information such as credentials and API keys.
The security defect was patched in January along with two other flaws, CVE-2024-57728 and CVE-2024-57726, which allow attackers to upload arbitrary files and elevate their privileges to administrator.
CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities (KEV) list in February, after threat actors were seen exploiting it to compromise devices running the SimpleHelp remote monitoring and management (RMM) software.
In late May, Sophos warned of a DragonForce ransomware attack compromising an MSP and its customers through the exploitation of a vulnerable SimpleHelp instance. CISA now warns of a similar incident, urging immediate patching.
According to CISA, the compromise of a utility billing software provider’s customers through a vulnerable SimpleHelp instance “reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025.”
“SimpleHelp versions 5.5.7 and earlier contain several vulnerabilities, including CVE-2024-57727—a path traversal vulnerability. Ransomware actors likely leveraged CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp RMM for disruption of services in double extortion compromises,” CISA says.
Software vendors, downstream customers, and end users should take immediate steps to patch their SimpleHelp deployments and hunt for indicators of compromise (IoCs), the agency notes.
Third-party vendors should immediately disconnect systems running SimpleHelp version 5.5.7 or prior, upgrade to a patched release, and notify downstream customers to secure their endpoints.
Downstream customers should determine the SimpleHelp version they are using, conduct threat hunting actions, disconnect vulnerable instances, monitor for unusual SimpleHelp server traffic, and apply the available patches.
End-users, CISA notes, should disconnect impacted devices, reinstall their operating system from a clean installation media, and restore their data from a clean backup.
Related: FBI Aware of 900 Organizations Hit by Play Ransomware
Related: Companies Warned of Commvault Vulnerability Exploitation
Related: ConnectWise Discloses Suspected State-Sponsored Hack
