virus logo Threat Signal Report

SimpleHelp Path Traversal Vulnerability

What is the Vulnerability?

FortiGuard Labs continues to observe ongoing attack attempts targeting SimpleHelp, a Remote Monitoring and Management (RMM) software, due to a critical unauthenticated path traversal vulnerability (CVE-2024-57727) affecting versions 5.5.7 and earlier. This flaw allows remote attackers to access and download arbitrary files from the server without authentication, simply by sending specially crafted HTTP requests. The exposed files may contain highly sensitive information, including server configuration data, hashed administrator passwords, API keys, and other credentials.

The root cause is improper input validation, which lets attackers manipulate file paths to reach files outside the intended directories. Due to active exploitation, this vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog in February 2025.

Update June 4, 2025: According to Cybersecurity Advisory published by Cybersecurity and Infrastructure Security Agency (CISA). Multiple ransomware groups, including initial access brokers with ties to Play ransomware operators, exploited the vulnerabilities in remote monitoring and management (RMM) tool SimpleHelp to conduct remote code execution.

What is the recommended Mitigation?

To mitigate this vulnerability, users should upgrade to SimpleHelp versions 5.5.8, 5.4.10, or 5.3.9, which specifically address the path traversal issue (CVE-2024-57727).

Additionally, it is strongly recommended that all SimpleHelp users upgrade to the latest available version, which includes fixes for multiple critical vulnerabilities — CVE-2024-57726 (privilege escalation), CVE-2024-57727 (path traversal), and CVE-2024-57728 (arbitrary file upload) - to ensure comprehensive protection.

What FortiGuard Coverage is available?

  • FortiGuard Intrusion Prevention Service (IPS): An IPS signature is available to detect and block exploit attempts targeting CVE-2024-57727 Path traversal vulnerability.​ Intrusion Prevention | FortiGuard Labs

  • FortiGuard Endpoint Vulnerability Service: A systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface.
    Endpoint Vulnerability | FortiGuard Labs

  • FortiGuard Antimalware and Sandbox Service: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.

  • Indicators of Compromise (IOC): FortiGuard Labs has blocked all the known Indicators of Compromise IOCs linked to the campaigns targeting the SimpleHelp Vulnerabilities (CVE-2024-57727, CVE-2024-57728, CVE-2024-57726).

  • Incident Response: The FortiGuard Incident Response team is available to assist with any suspected compromise.

description-logoOutbreak Alert

FortiGuard Labs continues to observe ongoing attack attempts targeting SimpleHelp, a Remote Monitoring and Management (RMM) software, due to a critical unauthenticated path traversal vulnerability (CVE-2024-57727) affecting versions 5.5.7 and earlier.

View the full Outbreak Alert Report

Additional Resources

SimpleHelp Bulletin
#StopRansomware: Play Ransomware | CISA


Released Date May 29, 2025
Updated Date Jun 05, 2025
Tags SimpleHelp Ransomware Attack Threat Signal Vulnerability
CVE ID


Threat Actor Type Ransomware

Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert
About FortiGuard Threat Signal

Learn More »