SimpleHelp CVE-2024-57727: a seven-day patch and a sixteen-month leak

SimpleHelp patched CVE-2024-57727 in seven days from full technical disclosure. Then they announced the fix on a community forum. Sixteen months and two ransomware cartels later, CISA was still publishing advisories about MSPs whose serverconfig.xml had been pulled off the wire by an unauthenticated GET request. The patch race was won. The distribution race was never really run.

The bug itself is unglamorous. SimpleHelp’s respondToolboxResource() serves files for GET /toolbox-resource/... without canonicalizing the path. GET /toolbox-resource/../serverconfig.xml returns the file. No auth, no session, no preconditions beyond reachability. The Project Discovery Nuclei template uses the presence of <HashPassword> tags in the response as its definitive vulnerability signal, which tells you what the request returns: a credential store.

SimpleHelp/configuration/serverconfig.xml holds hashed passwords for the SimpleHelpAdmin account and every local technician, LDAP service-account bindings, OIDC client secrets, API keys, and TOTP seeds for the MFA implementation. Several of those secrets are encrypted at rest with a hardcoded key, which Picus and Qualys both note is closer to obfuscation than protection once an attacker can read the file. The unauthenticated GET is not a path-traversal in the abstract sense. It is a credential dump with extra steps.

The seven-day patch

The disclosure timeline is unusually clean. Horizon3’s Naveen Sunkavally found all three vulnerabilities in late December 2024 and contacted SimpleHelp on December 30. SimpleHelp returned a security contact on January 6. Horizon3 disclosed the technical details that day. Two days later, on January 8, SimpleHelp shipped 5.5.8 and 5.4.10. The legacy 5.3.x branch followed on January 13 with 5.3.9. Horizon3’s public writeup went live around January 14-15.

Two days from full disclosure to 5.5.8 and 5.4.10. Five more for the legacy 5.3.x branch. Seven days from disclosure to last patch is fast by any honest measure. SimpleHelp is a small company. The turnaround deserves credit.

What it does not deserve is conflation with “the bug got fixed.” Shipping a build is the start of remediation, not the end. For a self-hosted product whose customers are MSPs running it on their own boxes, the install base updates when operators decide to update, which means the channel that tells operators an update exists is load-bearing.

The channel SimpleHelp used was a forum post titled “SimpleHelp 5.5.8 – Critical Security Fixes” and a knowledge-base article. There is no public evidence of direct email to self-hosted administrators, no auto-update for self-hosted servers, and no managed push to hosted instances.

The advisory also said SimpleHelp was “not aware of any active exploitation.” That sentence aged in two weeks. Arctic Wolf observed unauthorized access on January 22, roughly one week after the public writeup. CISA added CVE-2024-57727 to KEV on February 13 with a March 6 federal deadline. A vendor cannot prove a negative about exploitation, but “not aware of any active exploitation” reads to a customer as “no rush.” For a CVSS 7.5 unauthenticated read of a credential store, that framing pushes the rollout rightward by exactly the amount the attackers needed.

The siblings, held back

SimpleHelp’s January 2025 advisory bundled three CVEs. CVE-2024-57727 is the unauthenticated entry point. CVE-2024-57726 is a missing-authorization privilege escalation that takes a low-privilege technician credential, the kind 57727 just harvested, and walks it up to server administrator. CVE-2024-57728 is a zip-slip arbitrary write that lets an admin upload a malicious archive whose extracted paths escape the destination directory, planting a cron entry on Linux or overwriting a DLL on Windows. Horizon3 described the chain as 57727 -> authenticate as a technician -> 57726 -> 57728 -> RCE.

CISA added 57727 to KEV on February 13, 2025. They held 57726 and 57728 until April 24, 2026, more than a year later, after the chain had been observed end-to-end in the DragonForce intrusions Sophos reconstructed. The most plausible reading is that CISA treated 57727 as the initial-access vector and waited on field evidence before designating the privilege-escalation and RCE bugs as separately exploited. CISA does not publish staggered-add justifications, so this reading is inferential. The consequence is the same either way: an organization patching strictly to KEV deadlines prioritized 57727 and could reasonably have left the siblings, even though Horizon3’s January writeup laid the chain out in plain English.

Two cartels, one front door

Exploitation started almost immediately after public disclosure. Arctic Wolf documented unauthorized access beginning January 22, 2025, with operators spawning cmd.exe through SimpleHelp sessions to enumerate accounts and the domain. Field Effect documented a parallel campaign that created an “sqladmin” account, deployed a Cloudflare tunnel masquerading as svchost.exe, and staged a Sliver backdoor on hosts pivoted through the SimpleHelp server. Field Effect noted “signs of Akira ransomware” in the post-compromise TTPs but declined high-confidence attribution, and no other reporting has corroborated Akira. Treat that one as low-confidence.

DragonForce is the most thoroughly documented operator. Sophos’s May 27, 2025 reconstruction has DragonForce affiliates chaining all three CVEs against an MSP: 57727 to extract serverconfig.xml, 57726 to escalate a harvested technician credential, 57728 to deploy the DragonForce encryptor and QDoor, a tunneling backdoor previously seen in BlackSuit and Lynx campaigns. Dwell time was nine days. Restic exfil to Wasabi was confirmed before the locker was thwarted.

CISA’s AA25-163A on June 12, 2025 named DragonForce explicitly and documented the downstream pattern: the compromised MSP’s SimpleHelp instance was the pivot into a utility billing software provider’s network, and that provider’s customers became the eventual ransomware targets. The full scope of downstream victims has not been publicly quantified.

Medusa appears in parallel. Zensec’s UK incident response work documented a Medusa campaign in Q1 2025 across financial services, automotive, healthcare, ICT, and manufacturing, using SimpleHelp for initial access, RClone (renamed for evasion) for exfiltration, and PDQ Inventory and PDQ Deploy to push payloads named after the target. The American Hospital Association issued an early warning to US healthcare on January 29, 2025.

The shape is consistent across confirmed incidents: unauthenticated traversal -> credential extraction -> privilege escalation if needed -> abuse of SimpleHelp’s legitimate SYSTEM-level RMM access to reach managed endpoints -> persistence -> exfiltration -> ransomware. The MSP is not the target. The MSP is the delivery vehicle.

What an operator actually does now

If <install>/configuration/serverconfig.xml records anything below 5.5.8, 5.4.10, or 5.3.9, the instance is exploitable, and because no auth is required, internet exposure alone is sufficient compromise. The order matters: isolate or shut down the server first, upgrade, then reconnect. Patching in place leaves an attacker who has already read the credential store with every credential in it after the patch. CISA’s AA25-163A is explicit on the sequencing.

After exposure, every credential in serverconfig.xml has to be replaced. Technician passwords, the SimpleHelpAdmin password, LDAP service accounts bound to SimpleHelp, OIDC client secrets, every API key issued through the server, and the TOTP seeds. TOTP seeds have to be re-enrolled, not “rotated.” There is no in-place rotation that helps after the seed was read off disk.

The control that would have most reduced damage in 2025 is the one CISA recommends first. SimpleHelp ships a built-in IP restriction setting for technician and admin login sources. Use it. Better, put the management interface behind a VPN or firewall allowlist so the HTTP listener is not reachable from the internet. The breach reports skew heavily toward internet-exposed instances; operators who had already firewalled the admin port are largely absent from them.

PatchDay Alert flags every CISA KEV add with affected versions and federal deadline in the same morning’s digest, so the rebuild starts before the forum thread does.

The vendor patched fast. The patch never reached the customers, because the channel was a forum post for a credential disclosure flaw. That is not a SimpleHelp story. It is the shape of the small-RMM market, and the people paying the bill are the dental practices and water utilities whose MSP did not know they were running an unpatched server.