In June 2025, a significant cyberattack targeted organizations using SimpleHelp’s Remote Monitoring and Management (RMM) software. The attack exploited unpatched vulnerabilities in SimpleHelp, most notably CVE-2024-57727, a path traversal flaw that allowed ransomware actors to compromise systems, steal sensitive data, and deploy ransomware in double extortion schemes.
Timeline and Scope
• Initial Disclosure: SimpleHelp disclosed several vulnerabilities, including CVE-2024-57727, in January 2025. Patches were released shortly after, but many organizations failed to apply them promptly.
• Active Exploitation: Since January 2025, ransomware groups have been actively exploiting these flaws, targeting utility billing software providers and managed service providers (MSPs), then pivoting to attack their downstream customers.
• Notable Incidents: One high-profile breach involved a utility billing software provider whose customers experienced service disruptions and data theft.
Technical Details
Vulnerabilities Exploited
• CVE-2024-57727: A high-severity path traversal vulnerability in SimpleHelp versions 5.5.7 and earlier. Attackers could remotely retrieve arbitrary files by manipulating file path parameters in HTTP requests, exposing sensitive configuration files, credentials, and other secrets.
• Other Flaws: Two additional vulnerabilities (CVE-2024-57726 and CVE-2024-57728) were also exploited, enabling privilege escalation and arbitrary file uploads.
Attack Methodology
• Initial Access: Attackers scanned for unpatched SimpleHelp servers and endpoints. By exploiting CVE-2024-57727, they accessed sensitive files, including hashed admin passwords, API keys, and MFA seeds.
• Lateral Movement: With these credentials, attackers escalated privileges and moved laterally across networks, often leveraging the RMM software to push ransomware to multiple endpoints.
• Double Extortion: After encrypting files, attackers exfiltrated data and threatened to leak it unless ransoms were paid. Notably, groups like DragonForce and Play ransomware were observed using these tactics.
Impact
• Service Disruptions: Victims, including utility billing software customers, experienced outages and data loss.
• Data Theft: Sensitive data was exfiltrated, with attackers threatening public release if ransoms were not paid.
• Supply Chain Risk: The attack highlighted the risks posed by third-party software and MSPs, as a single compromised RMM instance could impact numerous downstream clients.
