CISA Warns SimpleHelp Vulnerabilities Are Being Exploited in Attacks

CISA has warned that two vulnerabilities in SimpleHelp remote support software are now being exploited in attacks, adding both flaws to its Known Exploited Vulnerabilities catalog on April 24, 2026. The agency ordered U.S. federal civilian agencies to apply fixes or mitigations by May 8, 2026.

The two newly added flaws are CVE-2024-57726, a missing authorization bug, and CVE-2024-57728, a path traversal issue that can lead to remote code execution when abused by an administrator-level attacker. Both affect SimpleHelp remote support software version 5.5.7 and earlier.

The warning matters because SimpleHelp is a remote monitoring and management tool. These platforms give technicians direct access to customer systems, which makes them attractive targets for ransomware crews, access brokers, and other attackers looking for a fast path into corporate networks.

SimpleHelp flaws can be chained for server compromise

CVE-2024-57726 allows a low-privileged technician account to create API keys with excessive permissions. That can let an attacker escalate privileges to the SimpleHelp server administrator role.

CVE-2024-57728 allows an authenticated administrator to upload arbitrary files anywhere on the SimpleHelp server by using a crafted zip file. This “zip slip” style flaw can let attackers execute code in the context of the SimpleHelp server user.

The risk increases when attackers chain the bugs. A compromised technician account can escalate to administrator, then use the file upload flaw to place malicious files on the server and move toward full compromise.

What CISA added to the KEV catalog

CVE	Vulnerability type	Main risk	Required access	CISA action
CVE-2024-57726	Missing authorization	Privilege escalation to server admin	Low-privileged technician	Added to KEV
CVE-2024-57728	Path traversal	Arbitrary file upload and code execution	Administrator access	Added to KEV

CISA’s KEV catalog signals confirmed exploitation in the wild. Federal civilian agencies must remediate listed vulnerabilities by the deadline, but private companies should also treat the catalog as a high-priority patching list.

A related SimpleHelp vulnerability, CVE-2024-57727, was already known to be exploited in earlier campaigns. It allows unauthenticated attackers to download arbitrary files from the SimpleHelp host, including configuration files and secrets.

Earlier attacks showed how serious the chain can be

Security teams had already warned about active SimpleHelp exploitation in 2025. NHS England said CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 could be chained to fully compromise a SimpleHelp server.

Arctic Wolf also observed a campaign in January 2025 involving unauthorized access to devices running SimpleHelp RMM software. It said a compromise of one SimpleHelp server could potentially lead to intrusions across multiple supported organizations.

That makes the latest CISA action more urgent. Attackers do not need to invent a new attack path when older exploit chains already show how SimpleHelp servers can become entry points into managed environments.

Why remote support tools remain high-risk targets

Remote support platforms sit close to the center of IT operations. They often have access to endpoints, administrator sessions, support credentials, and customer environments.

If attackers compromise one of these tools, they can blend into normal support activity. They may also use legitimate remote access features to run commands, enumerate accounts, move laterally, or install additional malware.

Arctic Wolf reported that attackers in a SimpleHelp-related campaign used a SimpleHelp session to launch command activity and enumerate accounts and domain information before the session was stopped.

What organizations should do now

Organizations should update SimpleHelp immediately if they run affected versions. Qualys and NHS England list SimpleHelp 5.5.7 and earlier as affected, with updates available for the 5.3, 5.4, and 5.5 branches.

Security teams should also review whether SimpleHelp remains installed on endpoints after old third-party support sessions. Arctic Wolf recommends uninstalling unused SimpleHelp client software to reduce the attack surface.

Recommended actions include:

• Upgrade SimpleHelp servers to the fixed version for your branch.
• Remove unused SimpleHelp clients from endpoints.
• Rotate SimpleHelp administrator and technician passwords.
• Restrict administrator and technician logins by trusted IP address.
• Review logs for unexpected API key creation.
• Investigate suspicious zip uploads or file writes on the SimpleHelp server.
• Check for command activity launched through SimpleHelp sessions.
• Disconnect vulnerable servers if fixes or mitigations cannot be applied.

Summary

1. CISA added CVE-2024-57726 and CVE-2024-57728 to its KEV catalog on April 24, 2026.
2. Federal agencies must patch or mitigate the flaws by May 8, 2026.
3. CVE-2024-57726 can let a low-privileged technician escalate to server administrator.
4. CVE-2024-57728 can let an administrator upload arbitrary files and execute code.
5. Organizations should update SimpleHelp, rotate credentials, restrict access, and remove unused clients.

FAQ