Security Intelligence
Loading table of contents...
Significant security vulnerabilities have recently been discovered in SimpleHelp Remote Monitoring and Management (RMM) which could result in unauthorized data access, increased user privileges, and execution of malicious code.
The vulnerabilities include:
- CVE-2024-57726 (CVSS: 9.9): This critical severity flaw could allow a threat actor with minimal technician access to escalate their rights to an administrator level due to absent authorization checks in the backend.
- CVE-2024-57727 (CVSS 7.5): This flaw permits an unauthenticated threat actor to retrieve any file from the SimpleHelp RMM server. Notably, they can access the serverconfig.xml file, which stores hashed passwords for the SimpleHelpAdmin account and other local technician accounts.
- CVE-2024-57728 (CVSS: 7.2): This issue could allow a threat actor with SimpleHelpAdmin rights, or administrative privileges, to place files anywhere on the server’s host, potentially leading to remote code execution.
A threat actor could potentially combine CVE-2024-57726 and CVE-2024-57728 to gain administrative access and deploy malicious software, thereby taking over the SimpleHelp RMM server.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The vulnerabilities were responsibly disclosed to SimpleHelp on January 6, 2025, and then addressed in versions 5.3.9, 5.4.10, and 5.5.8, released on January 8 and 13.
The company is strongly advising impacted users to update as soon as possible. Additionally, it recommends changing administrator and technician account passwords, and limiting the IP addresses allowed to access the SimpleHelp RMM server for technician and administrator logins.
Source: Bleeping Computer
Analysis
Field Effect can confirm it has recently observed a threat actor connecting to a SimpleHelp RMM instance and immediately using this access to disable anti-virus software installed on the host, likely to ensure subsequent malicious activities go undetected. However, we can’t be certain if threat actors are specifically targeting the three newly discovered vulnerabilities or other, older, unpatched vulnerabilities. Traditionally, when vendors disclose critical vulnerabilities in remote access tools, like SimpleHelp, it draws the attention of threat actors toward the devices in general and that could be what we have observed in this case.
Worldwide deployments of SimpleHelp software (Source: Shodan.io)
According to a Shodan search, there are over 3,000 instances of SimpleHelp software deployed worldwide, with most located in the U.S. While we don’t know if all these IP addresses are running vulnerable SimpleHelp RMM instances, there still likely exists a large attack surface for threat actors to target if they haven’t already.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in remote access software like SimpleHelp RMM. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities.
Field Effect MDR users were automatically notified if a vulnerable version of SimpleHelp RMM was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly encourages users of SimpleHelp RM to update to the latest version as soon as possible, in accordance with its advisory. For organizations attempting to see if SimpleHelp RMM has been unofficially deployed in their environment, search for “Remote Access.exe” with “SimpleHelp LTD” as the vendor. The vendor advisory lists “SimpleHelp” as the name of the software.
