A path traversal flaw in SimpleHelp remote support software lets authenticated admin users drop arbitrary files anywhere on the host via a crafted zip archive, leading to code execution as the SimpleHelp server user, and CISA confirms it is being used in ransomware operations.
What Is It
CVE-2024-57728 is a "zip slip" path traversal vulnerability (CWE-22 / CWE-59) in SimpleHelp remote support software. An admin user can upload a maliciously crafted zip file whose entries contain traversal sequences, causing the server to write extracted files outside the intended directory and anywhere on the filesystem. Because the extraction runs in the context of the SimpleHelp server user, an attacker can stage and execute arbitrary code on the host.
NVD rates the issue HIGH with a CVSS 3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). Attack vector is network, complexity is low, and no user interaction is required; though high privileges (admin) on the SimpleHelp instance are needed to trigger it.
Why It Matters
SimpleHelp is a remote support and remote access platform, so a compromised server typically sits in a position of trust over many downstream endpoints. CISA added CVE-2024-57728 to the Known Exploited Vulnerabilities catalog on 2026-04-24 and flags it with Known ransomware campaign use. Public reporting referenced by NVD ties exploitation of SimpleHelp vulnerabilities to high-tempo Medusa ransomware operations (Microsoft's Storm-1175 reporting) and to DragonForce activity (Trend Micro).
The combination of an internet-exposed remote-support server, trivial post-auth exploitation, and confirmed ransomware abuse makes this a near-term operational risk, not a theoretical one.
What's Vulnerable
- Product: SimpleHelp remote support software
- Affected versions: v5.5.7 and earlier (fixed in 5.5.8, per NVD CPE range
versionEndExcluding: 5.5.8) - Weakness: CWE-22 (Path Traversal), with CWE-59 (Link Following) noted by NVD
Patch Status
A fixed version (SimpleHelp 5.5.8) is available; see the vendor's January 2025 security bulletin. CISA's required action under BOD 22-01 is to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable, with a federal due date of 2026-05-08.
Sources
- SimpleHelp – Security vulnerabilities in SimpleHelp 5.5.7 and earlier (vendor advisory)
- NVD – CVE-2024-57728
- CISA KEV – CVE-2024-57728
- Horizon3.ai – Critical vulnerabilities in SimpleHelp remote support software
- Microsoft Security Blog – Storm-1175 and Medusa ransomware targeting web-facing assets
- Trend Micro – Ransomware spotlight: DragonForce