What happened
CISA added two actively exploited vulnerabilities in SimpleHelp remote support software to its Known Exploited Vulnerabilities catalog on April 24, 2026, setting a remediation deadline of May 8 for federal agencies under Binding Operational Directive 22-01.
The first vulnerability, CVE-2024-57726, is a missing authorization flaw that breaks role-based access controls within the SimpleHelp platform. A low-privileged technician account can exploit the weakness to generate API keys with excessive permissions and escalate privileges to the server administrator role, gaining complete administrative control over the remote support environment and all connected client machines.
The second vulnerability, CVE-2024-57728, is a path traversal flaw that allows an authenticated administrator to upload specially crafted zip files to arbitrary locations on the underlying file system. While administrator access is required to trigger this bug directly, it can be chained with CVE-2024-57726 to first escalate privileges and then upload malicious payloads for arbitrary code execution on the host server. Code executed through this chain runs within the security context of the SimpleHelp user, providing a foothold for lateral movement across the network. CISA has not confirmed whether ransomware groups are actively using these specific exploits, but the KEV listing confirms active exploitation in the wild.
Who is affected
Any organization running SimpleHelp remote support software is directly exposed. Remote access tools are high-value targets because they provide authenticated pathways into corporate networks by design, making a compromised instance a direct entry point for secondary attacks across connected client machines.
Why CISOs should care
The chaining potential here is the critical risk. CVE-2024-57726 alone turns a low-privileged account into a server administrator. CVE-2024-57728 alone requires administrator access. Together, they form a two-step path from a compromised technician account to arbitrary code execution on the server and lateral movement into every machine the SimpleHelp instance manages. Remote access platforms sit at the center of IT support infrastructure, and a compromised instance effectively hands an attacker the keys to every endpoint it touches.
3 practical actions
- Apply SimpleHelp vendor patches immediately and meet the May 8 deadline: Both vulnerabilities are confirmed as actively exploited. Apply all available mitigations per vendor instructions without waiting for the FCEB deadline, which applies to federal agencies but reflects a level of urgency relevant to all organizations running the software.
- Audit SimpleHelp for unauthorized API key generation and unusual file uploads: Monitor logs for API keys generated by low-privileged technician accounts, unexpected privilege escalations, and zip file uploads to non-standard server paths, which are the specific indicators associated with exploitation of these two flaws.
- Disconnect SimpleHelp from the network if patching is not immediately possible: CISA’s guidance explicitly recommends discontinuing use of the product and removing it from the network if mitigations are unavailable. For organizations that cannot patch immediately, isolation is the appropriate interim control given confirmed active exploitation.
Also in the news today:
- China-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks
- Surveillance Vendors Exploiting Telecom Infrastructure to Track Targets’ Locations
- American Utility Firm Itron Discloses Breach of Internal IT Network
- Nessus Agent Vulnerability on Windows Enables Arbitrary Code Execution with SYSTEM Privileges
- Litecoin Zero-Day Vulnerability Exploited in DoS Attack, Disrupts Major Mining Pools
- 153,000 Electricity and Gas Contracts Exposed in Breach Linked to Iberdrola Partner
- Russian-Linked Campaign Compromises Signal Accounts of Senior German Officials