Cyber Resilience

CVE-2024-57728

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 15 January 2025

Published
15 January 2025
Modified
24 April 2026
KEV Added
24 April 2026
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5407 98.1th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57728 is a high-severity Link Following (CWE-59) vulnerability in Simple-Help Simplehelp. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

SimpleHelp remote support software versions 5.5.7 and earlier contain a zip-slip vulnerability that permits authenticated administrators to upload a specially crafted archive and write arbitrary files to any location on the underlying file system. The flaw is tracked as CVE-2024-57728, carries a CVSS 3.1 score of 7.2, and maps to CWE-59 and CWE-22 path-traversal weaknesses; successful exploitation grants the attacker the ability to place executable content that runs in the context of the SimpleHelp server process.

An administrator account is sufficient to trigger the issue over the network. By supplying a malicious zip during the normal file-upload workflow, an attacker can overwrite binaries, scripts, or configuration files used by the SimpleHelp service, ultimately achieving remote code execution on the host without further user interaction.

Vendor guidance published in January 2025 directs administrators to apply the fixes released in SimpleHelp 5.5.8 or later. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, and reporting from Microsoft and Trend Micro links exploitation activity to ransomware operators including Storm-1175 and DragonForce campaigns, indicating active in-the-wild use after disclosure. The associated EPSS score has remained elevated, with a recorded peak of 0.5933.

EU & UK References

Vulnerability details

SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in…

more

the context of the SimpleHelp server user.

CWE(s)
KEV Date Added
24 April 2026

Related Threats

Threat-Actor AttributionAI

STORM-1175
Microsoft links STORM-1175 to Medusa ransomware operations exploiting SimpleHelp web-facing instances (Microsoft Security Blog).

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1505 Server Software Component Persistence
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
T1608.001 Upload Malware Resource Development
Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting.
Why these techniques?

The zip slip vulnerability enables authenticated admins to upload crafted ZIP files for arbitrary file writes anywhere on the filesystem, leading to RCE in the server context. This facilitates exploitation of public-facing applications/remote services (T1190/T1210), abuse of server software components (T1505), web shell deployment (T1100), and malware upload (T1608.001).

CVEs Like This One

CVE-2024-57727Same product: Simple-Help Simplehelpboth on KEV
CVE-2024-57726Same product: Simple-Help Simplehelpboth on KEV
CVE-2025-2749Shared CWE-22both on KEV
CVE-2025-8110Shared CWE-22both on KEV
CVE-2025-60710Shared CWE-59both on KEV
CVE-2021-27065Shared CWE-22both on KEV
CVE-2021-40444Shared CWE-22both on KEV
CVE-2026-41091Shared CWE-59both on KEV
CVE-2025-21391Shared CWE-59both on KEV
CVE-2025-61884Shared CWE-22both on KEV

Affected Assets

simple-help
simplehelp
≤ 5.5.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of the zip slip vulnerability in SimpleHelp, preventing exploitation through timely flaw remediation.

prevent

Mandates validation of zip file inputs to block path traversal payloads that enable arbitrary file writes outside intended directories.

prevent

Enforces least privilege for the SimpleHelp server process, limiting the impact of arbitrary code execution even if file overwrites succeed.

References