SimpleHelp Admin Arbitrary File Upload via Zip Slip (CVE-2024-57728)
Severity Assessment
- Exploitability: 5/10 — Requires authenticated server administrator credentials; however, CVE-2024-57727 enables unauthenticated credential exfiltration and CVE-2024-57726 enables escalation from technician to admin, making the prerequisite achievable in a chained attack without prior admin access
- Impact: 9/10 — Arbitrary file write on the SimpleHelp server leads to full remote code execution in the context of the server process; a compromised server grants access to all managed remote endpoints
- Weaponization Risk: 8/10 — Public proof-of-concept code exists; the three-CVE chain (CVE-2024-57727 then CVE-2024-57726 then CVE-2024-57728) was observed in active exploitation campaigns delivering DragonForce ransomware
- Patch Urgency: 9/10 — CISA KEV-listed (2026-04-24), federal deadline 2026-05-08; patched versions have been available since January 2025 and unpatched deployments remain at high risk
- Detection Coverage: 4/10 — Zip archive uploads are a legitimate SimpleHelp administrative operation; detection requires file-system monitoring of extraction destinations and anomaly detection on upload timing and content
Summary
CVE-2024-57728 is a path traversal vulnerability (CWE-22) in SimpleHelp remote support software versions 5.5.7 and earlier. The flaw allows an authenticated server administrator to upload a crafted zip archive containing directory traversal sequences (a technique known as Zip Slip). When SimpleHelp extracts the archive, it fails to sanitize the embedded file paths, allowing the attacker to write files to arbitrary locations on the host filesystem outside the intended upload directory. Files placed in web-accessible directories or application plugin paths can be executed by the server process, producing remote code execution with the privileges of the SimpleHelp server user.
The CVSS 3.1 base score is 7.2 HIGH with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The High privilege requirement (admin credentials) is the primary mitigating factor; however, in practice CVE-2024-57728 is deployed as the final stage of a three-CVE chain alongside CVE-2024-57727 (unauthenticated path traversal enabling configuration file download) and CVE-2024-57726 (missing authorization enabling technician-to-admin privilege escalation). The full chain degrades the effective privilege requirement to unauthenticated.
CVE-2024-57728 was discovered by Horizon3.ai and disclosed together with CVE-2024-57727 and CVE-2024-57726 in January 2025. SimpleHelp released patched versions (5.3.9, 5.4.10, and 5.5.8) alongside disclosure. Active exploitation of the chain was observed by Arctic Wolf starting January 22, 2025, with DragonForce ransomware deployed across managed service provider (MSP) environments. CISA added CVE-2024-57728 to the Known Exploited Vulnerabilities catalog on 2026-04-24 with a federal remediation deadline of 2026-05-08.
CVE-2024-57728 is catalogued here because it is CISA KEV-listed and carries material risk to RMM supply chains. See the related entry for CVE-2024-57726 for the privilege escalation stage of this chain.
Exploit Chain
The following describes CVE-2024-57728 in the context of the three-CVE chain observed in active exploitation campaigns.
Stage 1: Unauthenticated Configuration Exfiltration (CVE-2024-57727)
The attacker sends an unauthenticated HTTP request exploiting the path traversal flaw in CVE-2024-57727 to retrieve the SimpleHelp server configuration file (serverconfig.xml). This file contains hashed credentials for technician and administrator accounts. The attacker processes the extracted hashes to recover usable credentials.
Stage 2: Privilege Escalation to Admin (CVE-2024-57726)
Using recovered technician credentials, the attacker authenticates to the SimpleHelp server. The attacker then exploits the missing backend authorization flaw in CVE-2024-57726 to invoke admin-only API endpoints from a technician session, creating an API key scoped to the server administrator role. This bypasses the authentication barrier for CVE-2024-57728, which requires admin credentials.
Stage 3: Malicious Zip Archive Construction
The attacker constructs a zip archive containing one or more files with path traversal sequences in their embedded filenames. When extracted by a vulnerable SimpleHelp server, these sequences cause the extractor to write the file content outside the intended upload directory, into an attacker-chosen location on the host filesystem.
Stage 4: Arbitrary File Upload via Zip Slip (CVE-2024-57728)
The attacker authenticates using the admin API key obtained in Stage 2 and uploads the crafted zip archive through the SimpleHelp administrative file upload interface. The server extracts the archive without sanitizing the embedded file paths, writing the attacker’s payload to the target location. Files placed in web-accessible directories are immediately accessible via HTTP; files placed in plugin or application-load directories execute on the server’s next restart or request cycle.
Stage 5: Remote Code Execution and Endpoint Compromise
The attacker accesses the uploaded payload through the web application, triggering execution in the context of the SimpleHelp server process. From the server, the attacker uses SimpleHelp’s legitimate administrative agent management capabilities to push malicious software to all managed remote endpoints connected to the compromised server.
Detection Guidance
File system monitoring:
- Monitor the SimpleHelp server host for file creation events outside of the application’s designated upload and installation directories; any new files in web-served directories not created by the SimpleHelp update process warrant investigation
- Alert on creation of script files (.jsp, .php, .py, .sh, .ps1) or executables in web-accessible paths on the SimpleHelp server host
- Review file access logs on the host for reads of serverconfig.xml or similar configuration files from processes other than the SimpleHelp service
Web and API log review:
- Review SimpleHelp web access logs for requests containing path traversal patterns in URLs or request bodies, particularly against configuration or download endpoints
- Monitor admin-level file upload API calls; alert on uploads of zip archives whose filenames or contents are atypical for the environment’s change management schedule
- Alert on admin API key creation events that occur outside documented provisioning workflows, as these indicate CVE-2024-57726 exploitation feeding into the Zip Slip stage
Endpoint telemetry from managed nodes:
- Review all managed endpoints for software installations, configuration changes, or outbound connections initiated through the SimpleHelp agent that lack matching authorized change tickets
- Alert on SimpleHelp agent activity that installs remote access tools, modifies security software settings, or executes encoded scripts
Network indicators:
- Monitor for outbound connections from the SimpleHelp server host to external IP addresses not associated with SimpleHelp update infrastructure or managed endpoint subnets
- Correlate unexpected SimpleHelp agent network activity on managed endpoints with the server’s compromise window
Indicators of Compromise
The following indicators are derived from Qualys ThreatPROTECT research, Arctic Wolf campaign analysis, and CISA KEV reporting for CVE-2024-57728.
- Script files or executables present in SimpleHelp web-served directories that were not installed by the SimpleHelp application update process
- Web server access logs showing extraction of the SimpleHelp server configuration file via path traversal URLs (precursor exploitation of CVE-2024-57727)
- Admin-scoped API keys present in SimpleHelp configuration that were not provisioned through authorized administrative processes (residue of CVE-2024-57726 exploitation)
- Presence of DragonForce ransomware staging components, remote monitoring and management tools not approved by the organization, or credential harvesting utilities on SimpleHelp managed endpoints
- Outbound connections from managed endpoints to infrastructure associated with DragonForce ransomware operations or unknown remote access services initiated through the SimpleHelp agent management channel
Disclosure Timeline
| Date | Event |
|---|---|
| 2025-01-08 | SimpleHelp releases initial security patches for a subset of versions; coordinated disclosure with Horizon3.ai begins |
| 2025-01-15 | SimpleHelp releases patched versions 5.3.9, 5.4.10, and 5.5.8 and publishes the full security advisory covering CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 |
| 2025-01-22 | Arctic Wolf begins observing an active exploitation campaign targeting unpatched SimpleHelp RMM deployments, using the three-CVE chain for initial access and ransomware staging |
| 2025-01-29 | American Hospital Association alerts the healthcare sector to active exploitation of SimpleHelp vulnerabilities |
| 2025-02-01 | Arctic Wolf publishes detailed campaign analysis documenting the exploitation chain and observed post-exploitation activity including DragonForce ransomware deployment |
| 2025-02-07 | Qualys ThreatPROTECT publishes technical analysis of all three SimpleHelp CVEs and their chaining mechanics |
| 2026-04-24 | CISA adds CVE-2024-57728 to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of 2026-05-08 |
Sources & References
- CISA: Known Exploited Vulnerabilities Catalog — CISA, 2026-04-24
- NIST National Vulnerability Database: CVE-2024-57728 — NIST National Vulnerability Database, 2025-01-14
- SimpleHelp: Security Vulnerabilities in SimpleHelp 5.5.7 and Earlier — SimpleHelp, 2025-01-15
- Qualys ThreatPROTECT: SimpleHelp RMM Multiple Vulnerabilities — Qualys ThreatPROTECT, 2025-02-07
- Arctic Wolf: Campaign Exploiting SimpleHelp RMM Software for Initial Access — Arctic Wolf, 2025-02-01