Businesses are being encouraged to act against a worrying spate of ransomware attacks targeting unpatched flaws in widely used Remote Monitoring and Management (RMM) software SimpleHelp.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently sounded the alarm, a pattern that has seen ransomware actors, such as DragonForce and those associated with Play ransomware, exploit these vulnerabilities at least since January 2025.
The main bug, CVE-2024-57727, is a path traversal bug found in SimpleHelp version 5.5.7 and earlier. This design flaw leads to unauthenticated attackers being able to remotely access any file on the server, including privileged files such as Users data, server configuration settings, database credentials and private SSH keys.
Exploited in combination with other issues (CVE-2024-57728 and CVE-2024-57726), the attackers are able to perform privilege escalation and remote code execution to take full control of the targeted system.
The CISA advisory points to one case where a utility billing software vendor and its downstream customers were targeted, an example of a wider supply chain threat.
These vulnerabilities are being leveraged by these threat actors to obtain initial access, cause service disruption, and with most trends in ransomware; double extortion which entails encrypting data and threatening to release exfiltrated data if a ransom is not paid.
Key mitigations to protect your business
Patch Servers Now: Organizations that have deployed SimpleHelp RMM, whether independently or through third-party solutions, are instructed to update to the most recent patched versions of the software.” (5.5.8 for v5. 5. x, or patch 5.3.9 for v5. 3. x).
If you cannot immediately install the patch, isolate SimpleHelp server instances from the public internet or shut down the server until updates can be installed.
Threat Hunting: Perform deep threat hunting on any suspicious executables (e.g. 3-letter name such as aaa. exe) dated after January 2025 and look for unexpected incoming/outgoing traffic to/from SimpleHelp servers.
Good Security Posture: Keep a good asset inventory, use multi-factor authentication for all remote access solutions, and do not expose remote protocols like RDP directly to the internet without sufficient compensating controls.
Offline backups: Frequently backup all critical data into a separate, offline location and verify the security of those backups regularly to prevent them from being accessed by attackers.
Vendor Communication: Create and maintain communication with all external software vendors to be informed of their patch management processes and their security advisories.
RMM tools remain a popular means of abuse among ransomware gangs. Early action, in the form of patching, and a cloud-based security posture is critical to minimize the risk of these threats and protect business continuity.
