CISA added three SimpleHelp Remote Support vulnerabilities to its Known Exploited Vulnerabilities catalog this week, giving Federal Civilian Executive Branch agencies until May 8, 2026 to patch or pull the appliance offline. The catch is not the bugs themselves — they were disclosed in January 2025 — but the campaign now riding them: DragonForce ransomware operators are using SimpleHelp as a one-to-many delivery mechanism, lighting up entire MSP customer fleets in a single push.

The bugs

The chain is three CVEs deep, all in SimpleHelp v5.5.7 and earlier:

  • CVE-2024-57727 (CVSS 7.5) — unauthenticated path traversal in the SimpleHelp web app. A crafted GET to /files?path=../../../../../../etc/passwd reads arbitrary files from the host, including serverconfig.xml, hashed admin passwords, and SSH keys. No auth required.
  • CVE-2024-57726 (CVSS 9.9) — missing authorization on the technician API. A low-privileged technician account can mint API keys with permissions it should not have, escalating to server admin.
  • CVE-2024-57728 (CVSS 7.2) — Zip Slip in the admin file upload. Once an attacker has admin (via the first two bugs, leaked creds, or the prior path traversal), they upload a crafted zip whose entries traverse outside the intended extraction directory and drop a payload anywhere the SimpleHelp service user can write. That’s RCE on the appliance.

Chained: anonymous read → admin escalation → arbitrary write → code execution as the SimpleHelp server user. From there it’s lateral motion through the RMM’s existing trusted channel into every endpoint it manages.

Why this is an MSP problem first

SimpleHelp is RMM software. The whole point is that one server reaches into hundreds or thousands of customer endpoints with pre-authorized agent connections. When you compromise the SimpleHelp server, you don’t get one box — you get every box it manages, and the agent traffic looks identical to legitimate support sessions because functionally, it is.

Sophos MDR and Field Effect both reported intrusions where DragonForce affiliates broke into an MSP’s SimpleHelp instance, then used the RMM’s own scripting and remote-execution features to push ransomware to all downstream customers more or less simultaneously. Shadowserver’s honeypots have been seeing exploit traffic against the path-traversal bug for months — the patches landed in January 2025 but the long tail of unpatched MSPs is what drove the KEV addition now.

Other adds in the same batch

CISA also added, with the same May 8 deadline:

  • Samsung MagicINFO 9 Server (CVSS 8.8) — path traversal allowing arbitrary file writes on the digital signage CMS. Used in opportunistic exploitation against unmanaged signage networks.
  • D-Link DIR-823X series — a command injection in EOL consumer/SOHO routers, currently being absorbed into Mirai-style botnets.
  • CVE-2025-29635 — CISA recommends discontinuing the appliance rather than patching, which is the usual signal that the vendor isn’t going to ship a fix.

What to do right now

For the SimpleHelp issues, the fixes have been out since January 2025 — versions 5.5.8 and later for the 5.x branch, current 6.x is patched. If you operate a SimpleHelp server:

  1. Confirm version. Anything 5.5.7 or earlier is vulnerable to the unauthenticated path traversal — assume the serverconfig.xml and hashed admin passwords have leaked, and rotate everything.
  2. Pull the appliance off the public internet if it doesn’t strictly need to be there. SimpleHelp is frequently deployed with the web UI exposed for technician convenience, and that’s the attack surface.
  3. Audit technician accounts and API keys. Any keys created on a vulnerable build should be revoked, not trusted.
  4. Look for evidence of exploitation: anomalous outbound from the SimpleHelp host, unexpected zip uploads, agent-deployed scripts you didn’t queue, new admin accounts. The Sophos and Field Effect write-ups both have IOCs.
  5. If you’re an MSP and your SimpleHelp server has been on a vulnerable build at any point in the last 16 months, treat downstream customer fleets as potentially touched, not just the server.

The KEV deadline is for federal agencies, but the threat model — RMM-as-distribution-channel for ransomware — applies to anyone running SimpleHelp at scale. The window between patch availability and active mass exploitation is closed; the window between exploitation and ransomware deployment, going by recent DragonForce intrusions, is hours.

References