Ransomware gangs have been exploiting a vulnerability in remote device control software SimpleHelp during a recent string of attacks, according to federal cybersecurity officials.
The Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday that CVE-2024-57727 — a vulnerability affecting SimpleHelp’s widely-used remote access tools — was exploited to “compromise customers of a utility billing software provider.”
CISA declined to explain the timing of the advisory or what attacks it was referring to.
SimpleHelp is remote software that lets users access and control computers from anywhere and is typically deployed by IT personnel to fix issues or monitor the functions of a device.
“This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp…since January 2025,” CISA said.
Ransomware gangs “likely leveraged CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp remote monitoring and management [tool] for disruption of services in double extortion compromises.”
CVE-2024-57727 was added to CISA’s catalog of exploited vulnerabilities in February and the agency renewed its call for software vendors, downstream customers and end users to fix the bug as soon as possible.
The federal advisory links to a May 27 report from cybersecurity firm Sophos that tied the SimpleHelp exploitation campaign to the use of DragonForce ransomware against retail companies.
The report says DragonForce is being used by multiple hacking groups, including well known operations like Scattered Spider, in recent “attacks targeting multiple large retail chains in the UK and the US.”
CISA and the FBI also noted last week that the Play ransomware has been used in conjunction with the exploitation of CVE-2024-57727.
Law enforcement officials said initial access brokers with ties to Play ransomware operators continue to use the same bug to exploit SimpleHelp, which is deployed by many of the gang’s U.S.-based victims.
The exploitation of issues in remote management tools like SimpleHelp continue to cause concern among defenders.
Vulnerabilities in popular tools produced by ConnectWise and Kaseya have been the source of multiple ransomware and nation-state incidents over the last five years.
Last week, CISA warned that hackers are exploiting a vulnerability in ConnectWise days after the company said it is investigating a nation-state attack on its systems that impacted some of its customers that use ScreenConnect remote management software.
Recorded Future
Intelligence Cloud.
