Security researchers at Horizon3.ai have uncovered three critical vulnerabilities in SimpleHelp, a remote support software solution used globally. The flaws, which could allow attackers to compromise both SimpleHelp servers and client machines, were patched last week following responsible disclosure to the vendor.
The most severe vulnerability, tracked as CVE-2024-57727, is an unauthenticated path traversal flaw that enables attackers to download arbitrary files from SimpleHelp servers without requiring authentication. This vulnerability is particularly concerning because SimpleHelp stores sensitive configuration data, including encrypted passwords and credentials, in files that could be accessed through this exploit.
A second vulnerability, CVE-2024-57728, allows authenticated attackers with admin privileges to upload arbitrary files anywhere on the SimpleHelp server.
On Linux systems, attackers could exploit this by uploading malicious crontab files to execute remote commands, while on Windows systems, they could overwrite system executables to achieve remote code execution.
The third vulnerability, CVE-2024-57726, enables privilege escalation from a low-privileged technician account to server administrator status. This flaw stems from missing backend authorization checks in certain admin functions, allowing technicians to promote themselves through a specific sequence of network calls.
SimpleHelp's server software, which operates on Windows, Linux, and macOS platforms, acts as both a web application and a proxy server, managing connections between support technicians and customers. The software is particularly attractive to attackers because it can provide direct access to customer machines through its "unattended remote access" feature.
According to Horizon3.ai's research, SimpleHelp has a significant global presence with at least 3,416 servers exposed on the internet. The United States hosts the majority with 1,971 servers, followed by the United Kingdom with 354 servers and France with 227 servers.
SimpleHelp has responded quickly to the disclosure, releasing patched versions 5.5.8, 5.4.10, and 5.3.9 to address these vulnerabilities.
Users are strongly urged to upgrade immediately, as any version prior to these releases is potentially exploitable. The vulnerabilities can be detected by checking the server version through the /allversions endpoint or examining the HTTP Server header.
The security of remote access tools is a growing concern, following other notable zero-day vulnerabilities in similar products like ConnectWise ScreenConnect and BeyondTrust that were exploited in the wild during 2024.
Security researchers warn that these vulnerabilities may already be known to threat actors, emphasizing the urgency of applying the available patches.