A missing authorization flaw in SimpleHelp remote support software lets low-privileged technicians mint API keys with excessive permissions and escalate to server admin; now confirmed exploited in ransomware campaigns and added to CISA's KEV catalog.
What Is It
CVE-2024-57726 is a missing authorization vulnerability (CWE-862) in SimpleHelp remote support software. According to NVD, versions 5.5.7 and earlier allow low-privileged technicians to create API keys with permissions beyond what their role should grant. Those API keys can then be used to escalate privileges to the server admin role.
NVD rates the issue CVSS 9.9 (CRITICAL) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, network-reachable, low complexity, only low privileges required, no user interaction, and scope-changed impact across confidentiality, integrity, and availability.
Why It Matters
CISA added CVE-2024-57726 to the Known Exploited Vulnerabilities catalog on 2026-04-24 and flagged it with knownRansomwareCampaignUse: Known. NVD references tie the bug to active ransomware activity, including Microsoft's reporting on Storm-1175 / Medusa ransomware operations targeting vulnerable web-facing assets, and Trend Micro's spotlight on the DragonForce ransomware ecosystem.
Because SimpleHelp is a remote support tool typically reachable over the internet and trusted to take action on managed endpoints, a privilege escalation to server admin gives an attacker a foothold across every downstream system the SimpleHelp server can reach.
What's Vulnerable
- Product: SimpleHelp remote support software
- Affected versions: All versions prior to 5.5.8 (per NVD CPE:
cpe:2.3:a:simple-help:simplehelp:*withversionEndExcluding 5.5.8) - Precondition: Attacker must already have low-privileged technician access to the SimpleHelp server
Patch Status
The vendor addressed the issue in SimpleHelp 5.5.8; fixed-version details are published in SimpleHelp's January 2025 security advisory.
CISA's required action (due 2026-05-08): apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.