CVE-2024-57728

SimpleHelp RMM — Admin Zip Slip Enables Arbitrary File Write and Remote Code Execution
⚠️ CVSS 3.1  7.2 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is SimpleHelp?

SimpleHelp is a commercial Remote Monitoring and Management (RMM) and remote support software platform used by thousands of MSPs (Managed Service Providers) and IT teams. It enables remote desktop control, unattended access, automation, and monitoring across all managed devices. Because MSPs manage the IT infrastructure of many downstream clients, a compromised SimpleHelp server is an entry point into every one of those clients' networks.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on April 24, 2026 with a remediation deadline of May 8, 2026. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2024-57728 is a Zip Slip / path traversal (CWE-59) vulnerability in SimpleHelp's administrative file upload feature. A server administrator can upload a crafted ZIP archive that extracts files to arbitrary locations on the host filesystem, enabling remote code execution as the SimpleHelp server process user.

Because this vulnerability requires admin credentials, it is typically exploited as the third step in a chained attack — after CVE-2024-57726 is used to escalate a low-privilege technician account to admin. The DragonForce ransomware group used this complete chain to compromise MSP servers and propagate ransomware to client organizations.

The SimpleHelp Vulnerability Chain

CVE-2024-57728 is the RCE payload in a three-CVE attack chain discovered by Horizon3.ai:

CVE Type CVSS Auth Required Impact
CVE-2024-57727 Path Traversal 7.5 None Read server config, harvest credentials
CVE-2024-57726 Missing Authorization 9.9 Low (technician) Escalate to server admin
CVE-2024-57728 Zip Slip / File Upload 7.2 Admin Write arbitrary files → RCE

Affected Versions

Version Branch Vulnerable Through Fixed Version Released
v5.5.x v5.5.7 and earlier v5.5.8 January 8, 2025
v5.4.x v5.4.x and earlier v5.4.10 January 8, 2025
v5.3.x v5.3.x and earlier v5.3.9 January 13, 2025

Technical Details

What is Zip Slip?

Zip Slip is a class of directory traversal vulnerability that occurs during ZIP archive extraction. When a ZIP entry contains path traversal sequences in its filename (e.g., ../../../../etc/cron.d/shell), a vulnerable extraction routine writes the file outside the intended destination directory. The attack was first widely documented in 2018 and affects many languages and libraries that lack proper path validation during extraction.

How CVE-2024-57728 Works

SimpleHelp's administrative interface allows admins to upload files (toolboxes, automation packages) via a ZIP archive. The extraction routine does not validate that the output path for each ZIP entry stays within the intended upload directory. An attacker crafts a malicious ZIP where entries contain traversal sequences:

malicious.zip
├── ../../etc/cron.d/reverse_shell      (cron persistence)
├── ../../../../var/www/html/shell.jsp  (web shell)
└── ../../../tmp/backdoor.sh            (dropper)

When the server extracts this ZIP, the files land at the traversal-specified paths rather than within the upload directory. Once a web shell or cron job is in place, the attacker executes arbitrary commands as the SimpleHelp server process user.

Why the CVSS score is 7.2 despite leading to full RCE: Admin credentials are required (PR:H), which limits the base score. In practice, attackers obtain admin access via CVE-2024-57726 — making the effective combined impact much higher than either CVE's individual score suggests.

Discovery

Discovered by the Horizon3.ai Attack Research Team alongside CVE-2024-57726 and CVE-2024-57727. Coordinated disclosure with SimpleHelp began December 30, 2024, with patches released January 8–13, 2025.

Exploitation Context

The DragonForce ransomware-as-a-service group exploited the complete SimpleHelp vulnerability chain in supply-chain attacks targeting MSPs and their clients, documented by Sophos and Arctic Wolf:

  • Attackers chained CVE-2024-57727 → CVE-2024-57726 → CVE-2024-57728 for full server compromise
  • Used RCE to establish a foothold on MSP infrastructure
  • Pivoted from the compromised SimpleHelp server into managed client networks using the RMM's built-in remote access capabilities
  • Deployed ransomware payloads across multiple client organizations simultaneously

Medusa ransomware operators independently leveraged the same vulnerability chain in Q1 2025 attacks against UK organizations.

Remediation

CISA BOD 22-01 Deadline: May 8, 2026. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
  1. Upgrade SimpleHelp immediately to v5.5.8, v5.4.10, or v5.3.9. Patches were released January 8–13, 2025.
  2. Audit the upload directory for unexpected files, especially in web-accessible paths, cron directories, or system directories — these may indicate prior compromise.
  3. Review admin account activity — unauthorized admin access (obtained via CVE-2024-57726) is a prerequisite for this vulnerability. Check API key creation logs.
  4. Restrict internet exposure — SimpleHelp management interfaces should not be directly internet-accessible. Place behind VPN or firewall rules.
  5. Treat potential compromise as confirmed if your SimpleHelp server was unpatched and internet-exposed after January 13, 2025. Incident response procedures should include reviewing all managed client systems for unauthorized access.

Key Details

PropertyValue
CVE ID CVE-2024-57728
Vendor / Product SimpleHelp — SimpleHelp
NVD Published2025-01-15
NVD Last Modified2026-04-24
CVSS 3.1 Score7.2
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-59 — Improper Link Resolution Before File Access
CISA KEV Added2026-04-24
CISA KEV Deadline2026-05-08
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-05-08. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-12-30Horizon3.ai initiates contact with SimpleHelp vendor
2025-01-06Formal vulnerability disclosure by Horizon3.ai; vendor acknowledgment
2025-01-08SimpleHelp patches v5.5.8 and v5.4.10 released
2025-01-13SimpleHelp patch v5.3.9 released; public disclosure by Horizon3.ai
2025-01-15CVEs published to NVD
2025-01-22Arctic Wolf observes active exploitation campaigns
2025-02-01DragonForce ransomware group exploits full vulnerability chain in MSP supply-chain attacks
2026-04-24Added to CISA Known Exploited Vulnerabilities Catalog
2026-05-08CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2024-57728 Vulnerability Database
CISA KEV Catalog Entry US Government
SimpleHelp Security Vulnerabilities — January 2025 Vendor Advisory / Patch
Critical Vulnerabilities in SimpleHelp Remote Support Software — Horizon3.ai Security Research
Arctic Wolf Observes Campaign Exploiting SimpleHelp RMM Software for Initial Access Threat Intelligence
DragonForce Actors Target SimpleHelp Vulnerabilities to Attack MSP Customers — Sophos Threat Intelligence
SimpleHelp RMM Multiple Vulnerabilities Analysis — Qualys ThreatPROTECT Security Research
CWE-59 — Improper Link Resolution Before File Access Weakness Classification

Last updated: 2026-04-25

Gavin Hollinger & AI assembled this air-gap friendly HTML