Ethical Hacking News
U.S. CISA adds SimpleHelp vulnerability to its Known Exploited Vulnerabilities catalog, warning of the potential for attackers to exploit this flaw and gain unauthorized access to sensitive data. This critical vulnerability highlights the importance of software patching and vulnerability management in protecting networks against attacks.
CISA has added a critical vulnerability in SimpleHelp software to its Known Exploited Vulnerabilities (KEV) catalog. Horizon3 researchers discovered three vulnerabilities in SimpleHelp, which were publicly disclosed and patched by SimpleHelp. Attackers are allegedly exploiting these vulnerabilities, including downloading files and escalating access to administrative levels on vulnerable servers. CISA recommends users take proactive measures to protect themselves, such as uninstalling unused client software and rotating passwords. The vulnerability has been seen in 580 instances exposed online, mainly in the US and UK, and federal agencies are ordered to fix it by March 6, 2025.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical vulnerability in the SimpleHelp software to its Known Exploited Vulnerabilities (KEV) catalog, warning users about the potential for attackers to exploit this flaw and gain unauthorized access to sensitive data.
At the end of January 2025, Horizon3 researchers discovered three vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, that could be used to compromise a SimpleHelp server as well as clients' machines being managed by SimpleHelp. The first vulnerability, CVE-2024-57727, is an unauthenticated path traversal issue allowing attackers to download arbitrary files from the server. This includes sensitive data like the serverconfig.xml file, which contains hashed admin and technician passwords, LDAP credentials, and other secrets, all encrypted with a hardcoded key.
Following the public disclosure of these vulnerabilities by Horizon3, SimpleHelp released patch version 5.3.9 on January 13, 2025, in an effort to address the security concerns raised by researchers. However, not everyone has been quick to adopt this patch, and as a result, an ongoing campaign targeting SimpleHelp servers has been reported.
Researchers from Arctic Wolf now report that attackers are allegedly exploiting these vulnerabilities, which began a week after their public disclosure. The experts noted that attack vectors used include downloading files, uploading files with admin privileges, and escalating access to an administrative level on vulnerable servers. Furthermore, the researchers stated that if a threat actor chains these vulnerabilities together and gains administrative access to a SimpleHelp server, they could theoretically use it to compromise devices running the SimpleHelp client software.
According to Arctic Wolf, SimpleHelp's Remote Access.exe was running before the compromise, likely from a past support session. The first sign of intrusion was communication with an unapproved SimpleHelp server. Attackers attempted to gather account and domain details via cmd.exe using tools like net and nltest but failed to act further as the session was terminated early.
In light of this new development, experts recommend that users take proactive measures to protect themselves from potential attacks. These include uninstalling unused SimpleHelp client software from past support sessions, rotating passwords for admin and technician accounts, and restricting IP logins on SimpleHelp servers.
Additionally, the Shadowserver Foundation reported they have seen 580 vulnerable instances exposed online, mainly in the United States and UK. In response to this, CISA orders federal agencies to fix this vulnerability by March 6, 2025, highlighting the urgency of addressing identified vulnerabilities to protect networks against attacks exploiting the flaws in the catalog.
Furthermore, security experts also recommend private organizations review the Known Exploited Vulnerabilities (KEV) catalog and address the vulnerabilities in their infrastructure. With CISA's guidance, it is essential for all users to prioritize software patching and vulnerability management to minimize risks associated with this critical vulnerability.
The case of SimpleHelp highlights the importance of vigilance in addressing unpatched software and the need for organizations to be proactive in managing their IT systems' vulnerabilities. As we move forward, it is crucial that users remain vigilant about keeping their software up-to-date and take all necessary precautions to prevent potential security breaches.
Related Information:
https://securityaffairs.com/174233/hacking/u-s-cisa-adds-simplehelp-flaw-known-exploited-vulnerabilities-catalog.html
https://nvd.nist.gov/vuln/detail/CVE-2024-57726
https://www.cvedetails.com/cve/CVE-2024-57726/
https://nvd.nist.gov/vuln/detail/CVE-2024-57727
https://www.cvedetails.com/cve/CVE-2024-57727/
https://nvd.nist.gov/vuln/detail/CVE-2024-57728
https://www.cvedetails.com/cve/CVE-2024-57728/
Published: Fri Feb 14 16:50:57 2025 by llama3.2 3B Q4_K_M
