January 16, 2025 By Zeljka Zorz
If you’re an organization using SimpleHelp for your remote IT support/access needs, you should update or patch your server installation without delay, to fix security vulnerabilities that may be exploited by remote attackers to execute code on the underlying host.
The vulnerabilities
SimpleHelp is relatively popular remote support/access software that has also occasionally been used by cyber attackers.
The solution is mostly used by technical services firms and organizations’ IT help desk and technical support teams. It uses the Java runtime environment to run its server and client components and, thus, can be run on Windows, macOS or Linux machines.
Horizon3.ai researchers have recently probed the software for security weaknesses, and have discovered three vulnerabilities:
- CVE-2024-57727, an unauthenticated path traversal vulnerability that could allow attackers to download arbitrary files from the SimpleHelp server, including logs and configuration secrets (encrypted with a hardcoded key)
- CVE-2024-57728, an arbitrary file upload flaw that could be exploited by authenticated attackers (e.g., leveraging admin credentials gleaned from downloading config files) to upload arbitrary files to the machine running the SimpleHelp server or even interact with/access remote machines if the “unattended access” option is switched on. “For Linux servers, an attacker could exploit this vulnerability to upload a crontab file to execute remote commands. For Windows servers, an attacker could overwrite executables or libraries used by SimpleHelp to get to remote code execution,” the researchers explained.
- CVE-2024-57726, a vulnerability stemming from missing authorization checks for certain admin function could be misused by attackers to elevate their priviledes to admin and, for example, exploit CVE-2024-57728 to take over the server.
