CVE-2024-57728

HighCISA KEVActive Exploitation

Published: 15 January 2025

Published

15 January 2025

Modified

24 April 2026

KEV Added

24 April 2026

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.5933 98.3th percentile

Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57728 is a high-severity Link Following (CWE-59) vulnerability in Simple-Help Simplehelp. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Web Shell (T1505.003) and 4 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identification, reporting, and correction of the zip slip vulnerability in SimpleHelp, preventing exploitation through timely flaw remediation.

SI-10 Information Input Validation good match

prevent

Mandates validation of zip file inputs to block path traversal payloads that enable arbitrary file writes outside intended directories.

AC-6 Least Privilege partial match

prevent

Enforces least privilege for the SimpleHelp server process, limiting the impact of arbitrary code execution even if file overwrites succeed.

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

T1608.001 Upload Malware Resource Development

Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting.

attack.mitre.org →

Why these techniques?

The zip slip vulnerability enables authenticated admins to upload crafted ZIP files for arbitrary file writes anywhere on the filesystem, leading to RCE in the server context. This facilitates exploitation of public-facing applications/remote services (T1190/T1210), abuse of server software components (T1505), web shell deployment (T1100), and malware upload (T1608.001).

NVD Description

SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in…

the context of the SimpleHelp server user.

Deeper analysisAI

CVE-2024-57728 affects SimpleHelp remote support software versions 5.5.7 and earlier. The vulnerability is a zip slip flaw (CWE-59, CWE-22) that allows authenticated admin users to upload crafted zip files, enabling arbitrary file writes anywhere on the file system. This can lead to arbitrary code execution on the host in the context of the SimpleHelp server user. Published on 2025-01-15, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H).

An attacker with admin privileges can exploit this over the network with low complexity and no user interaction required. By uploading a malicious zip file, they achieve remote code execution as the server process user, potentially compromising the host through file overwrites in critical paths like executables or configuration files.

Advisories reference mitigations including a vendor knowledge base article on vulnerabilities in SimpleHelp 5.5.7 and earlier (simple-help.com), a Horizon3.ai disclosure on critical issues, and CISA's Known Exploited Vulnerabilities catalog entry.

The vulnerability is listed in CISA's KEV catalog, signaling real-world exploitation. References link it to ransomware activity, including Storm-1175 operations targeting web-facing assets in Medusa ransomware campaigns (Microsoft) and DragonForce ransomware (Trend Micro).

Details

CWE(s): CWE-59 CWE-22
KEV Date Added: 24 April 2026

Affected Products

simple-help

simplehelp

≤ 5.5.8

CVEs Like This One

CVE-2024-57727Same product: Simple-Help Simplehelpboth on KEV

CVE-2024-57726Same product: Simple-Help Simplehelpboth on KEV

CVE-2025-2749Shared CWE-22both on KEV

CVE-2025-8110Shared CWE-22both on KEV

CVE-2025-60710Shared CWE-59both on KEV

CVE-2025-21391Shared CWE-59both on KEV

CVE-2025-61884Shared CWE-22both on KEV

CVE-2025-48384Shared CWE-59both on KEV

CVE-2026-34604Shared CWE-22, CWE-59

CVE-2024-12905Shared CWE-22, CWE-59

References

https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier
Vendor Advisory · cve@mitre.org
https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/
Third Party Advisory · cve@mitre.org
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-57728
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
Technical Description · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-dragonforce
Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0