CVE-2024-57726
Published: 15 January 2025
Summary
CVE-2024-57726 is a critical-severity Missing Authorization (CWE-862) vulnerability in Simple-Help Simplehelp. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 2.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
SimpleHelp remote support software versions 5.5.7 and earlier contain a missing authorization vulnerability that permits low-privilege technicians to generate API keys carrying excessive rights. These keys can subsequently be used to elevate access to full server administrator privileges, producing a CVSS 3.1 score of 9.9.
An authenticated technician can exploit the flaw over the network without user interaction to obtain administrative control of the SimpleHelp server, enabling arbitrary management of connected endpoints and sensitive support data. The issue is tracked under CWE-862 and has been added to CISA’s Known Exploited Vulnerabilities catalog.
Public references from the vendor, Horizon3, Microsoft, and Trend Micro document active exploitation of the vulnerability in campaigns by groups such as Storm-1175 and DragonForce ransomware operators. The associated EPSS score rose from a low baseline to a peak of 0.5225 on 2026-04-25 before receding to its current value of 0.3883, indicating post-disclosure attacker interest. Organizations are advised to apply the fixes detailed in SimpleHelp’s January 2025 security bulletin.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53724
Vulnerability details
SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.
- CWE(s)
- KEV Date Added
- 24 April 2026
Related Threats
Threat-Actor AttributionAI
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows low-privilege technicians to create API keys with excessive permissions, enabling exploitation for privilege escalation to the server admin role.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-6 enforces least privilege, directly preventing low-privileged technicians from creating API keys with excessive permissions that enable server admin privilege escalation.
AC-3 requires enforcement of approved authorizations, mitigating the missing authorization (CWE-862) that allows creation of over-privileged API keys.
AC-2 mandates management of accounts and associated privileges, including API keys, to restrict low-privileged users from escalating via unauthorized key creation.