Three vulnerabilities in SimpleHelp 5.5.7 and earlier were patched within two days of being reported to us, a week before public disclosure. Here is what each CVE means, how they can be chained, and why keeping your server up to date is the only action you need to take.
In January 2025, three vulnerabilities in SimpleHelp were reported to us, assigned CVE identifiers, and more importantly, patched. If you're running SimpleHelp 5.5.8 or later, your server is not affected. If you're not, read on: this post covers what the vulnerabilities are, how we responded, and what you should do next.
The three CVEs affect SimpleHelp versions 5.5.7 and earlier. Here is a plain language breakdown of each:
CVE-2024-57727 (CVSS 7.5 — High) A path traversal vulnerability that allowed an unauthenticated attacker to download arbitrary files from the SimpleHelp server host via crafted HTTP requests. In practice, this meant that configuration files — including serverconfig.xml, which contains hashed admin credentials and secrets such as LDAP credentials, OIDC client tokens, and TOTP seeds; could be retrieved without logging in.
CVE-2024-57726 (CVSS 9.9 — Critical) A missing authorisation check in certain admin API functions. An authenticated attacker with low privilege technician access could craft a sequence of API calls to create overly permissive API keys, then use those keys to escalate their privileges to server administrator level. No additional authentication was required beyond that initial foothold.
CVE-2024-57728 (CVSS 7.2 — High) An arbitrary file upload vulnerability accessible to authenticated admin users. By uploading a crafted ZIP file (a zip slip attack), an attacker with admin access could write files to arbitrary locations on the host file system — and on Linux servers, this could be used to install a crontab for persistent code execution. On Windows, it could be used to overwrite executables or libraries to achieve the same effect.
Individually, each vulnerability requires a different level of access. Together, they form a complete compromise chain:
Security researchers at Horizon3.ai identified and published this chain. Ransomware groups including DragonForce and Medusa have since been observed exploiting it in the wild, specifically targeting MSP environments where a single compromised SimpleHelp server can provide access to an entire managed device fleet.
These vulnerabilities were reported to us responsibly, and we resolved them within two days of the initial report; approximately a week before Horizon3.ai published their public disclosure. Patches were made available in SimpleHelp versions 5.5.8 through 5.5.10, released between 8 and 13 January 2025.
The fixes address each flaw at the source: the path traversal vulnerabilities were closed, and the missing authorisation checks were added to the relevant admin API functions.
Our full security advisory is available here: Security Vulnerabilities in SimpleHelp 5.5.7 and Earlier
If your SimpleHelp server is running 5.5.8 or later, these CVEs do not apply to your installation. If a security scanner has flagged these CVEs against your environment, it is most likely scanning against an older version of the Remote Access Service binary; which may not have been updated alongside the server itself. Check that both your server and deployed Remote Access Services are running a current version.
The latest release is SimpleHelp 5.5.15. We strongly recommend upgrading if you have not already. You can find the latest downloads on our Downloads page.
SimpleHelp 5.5.15 is signed with a new code signing certificate. As deployment of this release spreads, you may see reputation based detections from endpoint security tools or VirusTotal; this is expected behaviour for newly signed binaries and is not indicative of a genuine threat.
It is also worth noting that binary hashes for SimpleHelp's Remote Access Service are not universal: the binary is generated from your server, incorporating your branding, server name, and configuration. This means the hash your scanner sees will differ from hashes in public databases, which can trigger false positive detections. If you are concerned about a specific hash flagged on your installation, get in touch with us and we can help investigate.
These vulnerabilities, and the campaigns that followed their disclosure, are a reminder of why RMM tools sit at the top of threat actors' target lists. A compromised RMM server is not just one compromised machine; it is a potential foothold across every device it manages.
Endpoint security is also moving in a clear direction: more and more platforms are shifting toward a whitelist only model for remote access tools. Rather than detecting and blocking known bad binaries, they are moving to block everything that is not explicitly permitted. If you are not already managing SimpleHelp through your endpoint security allowlist, now is a good time to start.
Action checklist:
If you have questions about your specific installation, contact our support team or reach out via the community forum.
SimpleHelp is a unified remote support and RMM platform, designed and built as one application since 2007. Learn more at simple-help.com.
