The US Cybersecurity and Infrastructure Security Agency has released an advisory warning of ransomware actors exploiting a known vulnerability in SimpleHelp Remote Monitoring and Management.
In one instance, a ransomware group was able to use the vulnerability to compromise the customers of a utility billing software provider using an unpatched version of the software.
The vulnerability, CVE-2024-57727, was first published in January 2025 and was patched at the same time.
“SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests,” the CVE record says.
“These files include server configuration files containing various secrets and hashed user passwords.”
Despite being patched, multiple ransomware actors have been able to compromise unpatched instances of SimpleHelp RMM in the first half of 2025.
This is the second time CISA has warned of exploitation of unpatched SimpleHelp RMM instances. In a June 4 advisory updating the known tactics, techniques, and procedures of the Play ransomware gang, CISA said it had observed “multiple ransomware groups, including initial access brokers with ties to Play ransomware operators” taking advantage of CVE-2024-57727.
You can read the full SimpleHelp advisory here.
