
A number of vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) enabled attackers to upload and download files and escalate privileges to the admin level. The problem was recently discovered by Horizon3, which prompted SimpleHelp to release patches and fixed versions 5.5.8, 5.4.10, and 5.3.9.
But according to Arctic Wolf, attackers have already begun exploiting new bugs. A malicious campaign targeting SimpleHelp servers was launched a week after the publication of the Horizon3 security bulletin.
“While it is not confirmed that the recently disclosed vulnerabilities are responsible for the observed campaign, Arctic Wolf strongly recommends upgrading to the latest available fixed versions of the SimpleHelp server software where possible.”
Arctic Wolf analysts found out that the SimpleHelp Remote Access.exe process was running in the background on affected devices prior to the attack for a previous support session from a third-party vendor.
The first sign of compromise were communications between the SimpleHelp client on the target device and a third-party SimpleHelp server. Apparently, the attackers used vulnerabilities in SimpleHelp to gain control over the client or used stolen credentials.
After gaining access to the organization, the attackers used such tools as net
and nltest
to collect information on its accounts, groups, shares, and domain controllers, and also to test connectivity to Active Directory.
According to experts, these are the standard steps preceding privilege escalation and lateral movement. However, the malicious session was terminated before it was possible to figure out further plans of the attackers.
According to The Shadowserver Foundation, some 580 vulnerable SimpleHelp instances are currently available online; most of them (345) are located in the United States.


2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →