Healthcare Providers Warned About Vulnerability in SimpleHelp Remote Access Software
Three vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software are thought to be under active exploitation. The American Hospital Association (AHA) in conjunction with the Health Information Sharing and Analysis Center (Health-ISAC) has issued a cybersecurity advisory about the vulnerabilities and threat actor activity, and the Cybersecurity and Infrastructure Security Agency (CISA) has added one of the vulnerabilities to its Known Exploited Vulnerability Catalog. Healthcare organizations have been advised to prioritize patching the vulnerabilities.
The vulnerabilities were identified by researchers at Horizon3 in December 2024 and were disclosed to SimpleHelp on January 6, 2025. Patches were released to fix the vulnerabilities on January 13, 2025, when the flaws were publicly disclosed. Within one week of the public disclosure, threat actors are thought to have started exploiting the vulnerabilities. A malicious campaign was detected by researchers at Arctic Wolf on January 22, 2024, and while it could not be confirmed that the attacks on vulnerable SimpleHelp servers exploited these specific flaws, the timing of the campaign makes these vulnerabilities the likely source of the intrusions. Arctic Wolf reports that the attackers executed commands to gather system intelligence, a precursor to privilege escalation and lateral movement; however, the malicious session was terminated before further actions could be observed.
The vulnerabilities are a privilege escalation flaw tracked as CVE-2024-57726 (CVSS 9.9), a directory traversal flaw tracked as CVE-2024-57727 (CVSS 7.5), and a path traversal flaw tracked as CVE-2024-57728 (CVSS 7.2). Successful exploitation of the flaws allows threat actors to upload and download files, view, change, and delete data, escalate privileges to administrative level, and execute arbitrary code. CISA says the CVE-2024-57727 vulnerability is known to have been exploited in ransomware campaigns.
Around 580 SimpleHelp servers are exposed to the Internet, most of which are located in the United States. The vulnerabilities affect SimpleHelp versions v5.3, v5.4, and v5.5 and have been fixed in versions 5.3.9, 5.4.10, and 5.5.8. Since the vulnerabilities are potentially under active exploitation, software should be updated to the latest version as soon as possible. Investigations should also be conducted to determine if the vulnerabilities have already been exploited.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
