Ransomware Actors Exploit CVE-2024-57727 in Unpatched SimpleHelp RMM

On June 12, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released Advisory AA25‑163A, warning that ransomware actors have been exploiting unpatched instances of SimpleHelp Remote Monitoring and Management (RMM) software, specifically versions 5.5.7 and earlier, to compromise a utility billing software provider. 

This case is part of a broader pattern of attacks observed since January 2025, where unpatched SimpleHelp deployments have been used as entry points for double-extortion ransomware operations.

In this blog, we examine the details of CVE-2024-57727, how it has been exploited in the wild, and the steps organizations should take to detect and mitigate the risk.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

CVE-2024-57727: SimpleHelp Remote Monitoring and Management Vulnerability Explained

CVE-2024-57727 is a high-severity path traversal vulnerability (CVSS v3 7.5) affecting SimpleHelp Remote Monitoring and Management (RMM) software. 

In vulnerable versions (≤ 5.5.7), it allows unauthenticated attackers to remotely retrieve arbitrary files from the underlying operating system by manipulating file path parameters in HTTP GET requests. 

Exploitation and Risk

CISA confirmed that this vulnerability has been actively exploited in ransomware campaigns since January 2025, and added it to the Known Exploited Vulnerabilities (KEV) catalog on February 13, 2025.

Threat actors have leveraged this flaw as an initial access vector in double extortion ransomware attacks, particularly targeting downstream customers of utility billing providers and managed service platforms (MSPs). Once attackers gain access to sensitive credentials or configuration files, they can escalate privileges, move laterally across systems, and deploy ransomware payloads to maximize impact.

Root Cause and Technical Impact

Attackers can exploit CVE-2024-57727 by injecting sequences like ../../../../../ into file requests to escape the web server’s root directory and access files elsewhere on the host system.

Because SimpleHelp stores all data as local files, this type of access is especially dangerous. While some logs and secrets are encrypted, community research has revealed the encryption uses a hardcoded key, making it insufficient protection against motivated attackers.

High-value file targets include the following.

• /SimpleHelp/configuration/serverconfig.xml: Contains configuration data, including authentication and integration secrets such as hashed passwords for the SimpleHelpAdmin and technician accounts, LDAP credentials, OIDC client secrets, API keys, and TOTP seeds used for MFA.
• /root/.ssh/id_rsa: May reveal root user private SSH key on Linux systems
• /etc/passwd: Can help attackers enumerate system users
• C:\Windows\System32\config\SAM: On Windows, may expose hashed administrator passwords.

Detection and Mitigation Guidance for CVE-2024-57727

Organizations using SimpleHelp Remote Monitoring and Management (RMM), either directly or as part of third-party software, should take immediate steps to verify whether vulnerable versions are present in their environments. This includes both SimpleHelp servers and endpoints configured for remote access.

Detection

Start by identifying systems running SimpleHelp version 5.5.7 or earlier, which are confirmed to be vulnerable. For servers, this can be done by querying the SimpleHelp web interface using the /allversions path to view the active version. 

Endpoint presence can be checked by inspecting the file system for the remote access service (RAS), typically found in:

• %APPDATA%\JWrapper-Remote Access (Windows)
• /opt/JWrapper-Remote Access (Linux)
• /Library/Application Support/JWrapper-Remote Access (macOS)

For each detected instance, examine the configuration files (serverconfig.xml on servers, serviceconfig.xml on endpoints) to determine connection details and version lineage. Organizations should also review system and network logs for evidence of unusual or unauthorized file access, especially requests containing directory traversal patterns like ../../.

Look for signs of post-exploitation activity, including unexpected binaries with short alphabetic filenames (e.g., aaa.exe) created after January 2025, or anomalous traffic originating from SimpleHelp servers.

Mitigation

If a vulnerable version is identified, the highest priority action is to immediately isolate the SimpleHelp instance from internet access or shut down the service until a secure upgrade can be performed. 

SimpleHelp has released updated versions that address CVE-2024-57727, and patching to the latest version is strongly recommended.

Even in the absence of clear compromise indicators, systems should be treated as potentially at risk. Conduct threat hunting to rule out unauthorized file access or credential exposure. Additionally, apply host-based and network-based vulnerability scans to validate the integrity of affected machines and ensure no persistence mechanisms have been established by an attacker.

Organizations unable to apply patches immediately should consider temporary workarounds such as disabling unnecessary components, restricting inbound connections to the service, and monitoring access logs closely. These mitigations are not substitutes for patching and should only be used as short-term containment measures.

Proactive Hardening Recommendations

To reduce exposure to future RMM-related threats and ransomware attacks, implement the following measures as part of a broader security program:

• Maintain a complete and updated asset inventory of both servers and deployed endpoint software.

• Enforce offline, regularly-tested backups to ensure quick restoration in case of encryption.

• Avoid exposing remote services like RDP to the internet. If access is required, apply strict network controls and multi-factor authentication.

• Perform a formal risk assessment of third-party software, especially RMM tools used by vendors or managed service providers.

• Establish clear communication channels with third-party vendors to stay informed about their patching practices and vulnerability disclosures.

• For software development and procurement, promote adoption of Software Bills of Materials (SBOMs) to improve visibility into embedded components and support rapid remediation in the event of a new vulnerability.

How Picus Helps Simulate SimpleHelp RMM CVE-2024-57727 Exploitation Attacks?

We also strongly suggest simulating the SimpleHelp RMM CVE-2024-57727 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for SimpleHelp RMM CVE-2024-57727 vulnerability exploitation attacks:

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address SimpleHelp RMM CVE-2024-57727 exploitation for double extortion ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for SimpleHelp RMM vulnerability:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Security Validation Platform.