Ransomware actors have compromised customers of a utility software billing software provider after exploiting a vulnerability in the SimpleHelp Remote Monitoring and Management (RMM) tool.
A new advisory from the Cybersecurity and Infrastructure Security Agency (CISA) warned that the incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025.
SimpleHelp versions 5.5.7 and earlier contain several vulnerabilities, including a path traversal vulnerability CVE-2024-57727.
“Ransomware actors likely leveraged CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp RMM for disruption of services in double extortion compromises,” CISA wrote.
All software vendors, downstream customers and end users have been urged to immediately determine if they have been compromised via the SimpleHelp flaw and apply mitigations.
SimpleHelp Flaws Exploited by DragonForce
The path transversal vulnerability CVE-2024-57727 was published in January 2025, and added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on February 13, 2025.
This flaw can allow unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files include server configuration files containing various secrets and hashed user passwords.
In May, Sophos researchers observed DragonForce ransomware being deployed across several client networks by exploiting CVE-2024-57727 in combination with two other vulnerabilities also disclosed in January:
- CVE-2024-57728: A high severity flaw enabling admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file
- CVE-2024-57726: A critical level vulnerability that allows low-privileges technicians to create API keys with excessive permissions
Following encryption, the attackers adopted a double extortion strategy, demanding ransom while threatening to leak stolen data.
CISA did not disclose the ransomware group responsible for the attack on the utility software provider.
How to Protect Against SimpleHelp Compromise
CISA issued recommendations for software vendors, downstream customers and end users to determine if they are impacted by vulnerable SimpleHelp versions and how to mitigate the risks.
Software Vendors
If SimpleHelp is embedded in vendor-owned software or if a third-party service provider leverages SimpleHelp on a downstream customer’s network, these companies should identify the SimpleHelp server version at the top of the file.
If they discover version 5.5.7 or prior has been used since January 2025, vendors should take the following actions:
- Isolate the SimpleHelp server instance from the internet or stop the server process
- Immediately upgrade to the latest SimpleHelp version to patch the flaws
- Contact all downstream customers and direct them to take actions to secure their endpoints and undertake threat hunting actions on their network
Downstream Customers and End Users
Downstream customers should immediately determine if their system is running an unpatched version of SimpleHelp RMM either directly or embedded in third-party software.
This can be done by checking the following paths according to the specific operating system.
- Windows: %APPDATA%\JWrapper-Remote Access
- Linux: /opt/JWrapper-Remote Access
- MacOs: /Library/Application Support/JWrapper-Remote Access
If SimpleHelp is identified in any endpoints, the software version can be determined by performing an HTTP query against it.
If SimpleHelp version 5.5.7 or earlier is confirmed on a system, organizations should conduct threat hunting actions for evidence of compromise and continuously monitor for unusual inbound and outbound traffic from the SimpleHelp server.
If there is no evidence of compromise, users should immediately upgrade to the latest SimpleHelp version, or apply appropriate workarounds if it is not possible to fix straight away.
