TP-EXP-2024-0003 CVE-2024-57726 critical Patched AI Draft

SimpleHelp Technician Privilege Escalation to Admin via API Key Creation (CVE-2024-57726)

CVE CVE-2024-57726 Platform SimpleHelp <= 5.5.7 Type Missing Authorization

Severity CRITICAL

Status Patched

Zero-Day No

Disclosed January 14, 2025

Patched January 15, 2025

CISA KEV Listed

Severity Assessment

Exploitability: 7/10 — Requires valid technician credentials; CVE-2024-57727 (path traversal) enables unauthenticated credential extraction, making the prerequisite achievable without prior access
Impact: 9/10 — Full server administrator compromise; in combination with CVE-2024-57728, enables arbitrary code execution on the SimpleHelp server and lateral movement to all managed endpoints
Weaponization Risk: 9/10 — All three SimpleHelp CVEs are actively exploited as a chain; weaponized exploit code is publicly available; NHS England and multiple government bodies issued active-exploitation warnings
Patch Urgency: 10/10 — CISA KEV-listed (2026-04-24), federal deadline 2026-05-08; exploitation chain is fully automated in observed campaigns
Detection Coverage: 4/10 — API key creation activity is a legitimate SimpleHelp operation; distinguishing attacker-created admin API keys from authorized ones requires comprehensive audit logging and anomaly detection

Summary

CVE-2024-57726 is a missing authorization vulnerability (CWE-862) in SimpleHelp remote support software versions 5.5.7 and earlier. Certain administrative API functions lacked backend authorization enforcement, allowing a low-privilege technician account to invoke admin-only endpoints through a crafted sequence of network calls. By exploiting this gap, an attacker with technician credentials can create API keys scoped to the server administrator role, effectively gaining full administrative control over the SimpleHelp server.

The vulnerability carries a CVSS 3.1 base score of 9.9 (Critical) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The Changed Scope (S:C) reflects that a compromise of the SimpleHelp server cascades to all remote endpoints it manages — potentially thousands of machines in a managed service provider (MSP) deployment.

CVE-2024-57726 is one of three vulnerabilities disclosed together in January 2025 by Horizon3.ai and SimpleHelp. The three flaws form a potent exploit chain: CVE-2024-57727 (path traversal enabling unauthenticated server configuration download) → CVE-2024-57726 (technician-to-admin privilege escalation) → CVE-2024-57728 (admin arbitrary file upload enabling remote code execution). The chain allows a remote unauthenticated attacker to achieve full RCE on the SimpleHelp server and subsequently access all managed endpoints.

Active exploitation of the chain was confirmed by Horizon3.ai, Security Affairs, and NHS England Digital in February 2025. CISA added CVE-2024-57726 to the Known Exploited Vulnerabilities catalog on 2026-04-24 with a federal remediation deadline of 2026-05-08.

Note: Patches were released by SimpleHelp alongside disclosure in January 2025. CVE-2024-57726 is classified as a known-exploited n-day rather than a zero-day under Threatpedia’s definition; isZeroDay is set to false accordingly. The entry is catalogued here because it is CISA KEV-listed and represents a critical RMM supply-chain risk.

Exploit Chain

The following sequence reflects the three-CVE chain observed in active exploitation campaigns targeting SimpleHelp deployments.

Stage 1: Unauthenticated Configuration Exfiltration (CVE-2024-57727)

The attacker sends an unauthenticated HTTP request exploiting the path traversal vulnerability in CVE-2024-57727 to download the SimpleHelp server configuration file. This file contains hashed technician and administrator credentials. The attacker cracks or reuses the extracted credential hashes to obtain valid technician-level authentication.

Stage 2: Technician Authentication

The attacker authenticates to the SimpleHelp server using the recovered technician credentials. At this point, the attacker holds a low-privilege session with the API access surface available to standard technician accounts.

Stage 3: Admin API Key Creation via Missing Authorization (CVE-2024-57726)

Using the technician session, the attacker crafts a specific sequence of API calls targeting administrative endpoints that lack backend authorization checks. The vulnerable server processes these requests without verifying that the caller holds admin-level privileges. The attacker successfully creates a new API key scoped to the server administrator role. This key is persistent, does not expire by default, and survives credential rotation of the originating technician account.

Stage 4: Administrative Takeover

Using the newly created admin API key, the attacker authenticates as a server administrator. From this position, the attacker can enumerate all managed remote endpoints, their configurations, and installed agents; access sensitive configuration data and stored credentials for managed machines; and create additional admin accounts or API keys for persistent access.

Stage 5: Remote Code Execution via File Upload (CVE-2024-57728)

With administrator access, the attacker exploits CVE-2024-57728 to upload a malicious file to the SimpleHelp server, achieving arbitrary code execution in the context of the SimpleHelp server process. From the server, the attacker can push malicious software or commands to all managed remote endpoints through the legitimate SimpleHelp agent management interface.

Detection Guidance

API audit logging:

Enable and review SimpleHelp server audit logs for API key creation events, particularly API keys scoped to administrator roles created outside of normal change management windows
Alert on any technician account performing API calls to administrative endpoints not consistent with standard technician operations
Monitor for rapid sequences of API calls from a single technician session — the exploit requires a specific crafted sequence that differs from typical interactive use patterns

Account and credential anomalies:

Inventory all active SimpleHelp API keys; investigate any admin-scoped keys not provisioned by documented administrative processes
Alert on new administrator account creation or privilege changes within SimpleHelp
Monitor for technician accounts that authenticate but then immediately perform admin-tier operations rather than standard remote support functions

Configuration file access:

Review web server access logs for requests to /serverconfig or other configuration endpoints that should not be publicly accessible — indicative of CVE-2024-57727 exploitation preceding CVE-2024-57726 exploitation
Monitor for unusual file system access patterns on the SimpleHelp server host, particularly reads of the main configuration file from unexpected processes

Network and endpoint telemetry:

Review all managed endpoints for unexpected software installation, configuration changes, or outbound connections that originate from the SimpleHelp agent — a compromised server can push malicious payloads to all managed nodes
Correlate SimpleHelp-initiated activity on managed endpoints with open change tickets; unmatched activity is a strong compromise indicator

Indicators of Compromise

The following indicators are derived from Horizon3.ai research, Security Affairs reporting, and NHS England Digital cyber alert CC-4623 published in early 2025.

Admin-scoped API keys present in SimpleHelp that were not created through authorized administrative processes; audit via the SimpleHelp admin console under API Keys
Web server logs showing GET or POST requests to path-traversal URLs targeting the SimpleHelp configuration file (e.g., requests with ../ sequences to /serverconfig)
New administrator accounts or technician accounts with recently elevated permissions not matching provisioning records
Unexpected or unauthorized software deployed to managed endpoints via the SimpleHelp agent, including remote access tools, credential harvesters, or ransomware staging components
Outbound connections from the SimpleHelp server host to infrastructure not associated with SimpleHelp update services or the organization’s managed endpoint IPs

Disclosure Timeline

Date	Event
2025-01-14	Horizon3.ai researchers discover and disclose CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 to SimpleHelp
2025-01-15	SimpleHelp releases patched versions 5.3.9, 5.4.10, and 5.5.8 and publishes security advisory
2025-02-07	Qualys ThreatPROTECT publishes analysis of the three-CVE chain and exploitation vectors
2025-02-12	Security Affairs reports active exploitation of the SimpleHelp vulnerability chain observed in the wild
2025-02-13	NHS England Digital issues cyber alert CC-4623 warning of active exploitation targeting healthcare and public sector organizations
2026-04-24	CISA adds CVE-2024-57726 to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of 2026-05-08
2026-04-24	Threatpedia entry published

Sources & References

CISA: Known Exploited Vulnerabilities Catalog — CISA, 2026-04-24
NIST National Vulnerability Database: CVE-2024-57726 — NIST National Vulnerability Database, 2025-01-14
SimpleHelp: Security Vulnerabilities in SimpleHelp 5.5.7 and Earlier — SimpleHelp, 2025-01-15
GitHub Security Advisories: GHSA-8388-c89m-3x67 — GitHub Security Advisories, 2025-01-14
Security Affairs: Attackers Exploit SimpleHelp RMM Software Flaws for Initial Access — Security Affairs, 2025-02-12