Threat actors have been actively exploiting newly discovered vulnerabilities in SimpleHelp’s Remote Monitoring and Management (RMM) software, with the aim of gaining unauthorized access to networks. These flaws, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow for privilege escalation and remote code execution. Cybersecurity company Field Effect reported that attackers are using these vulnerabilities as an initial access point to maintain persistent remote access, which could later lead to ransomware deployment. While the flaws were patched in January 2025, the attack chain was still successfully carried out soon after the vulnerabilities were disclosed.
The attack was carried out through a SimpleHelp RMM instance located in Estonia.
Once the attacker gained access to the network, they performed several post-exploitation activities, including reconnaissance and the creation of an administrator account named “sqladmin.” They then deployed the Sliver framework, which facilitated lateral movement within the network. This allowed the attacker to connect the domain controller with the compromised SimpleHelp client and set up a Cloudflare tunnel to route traffic to servers under the attacker’s control, making it harder for the attack to be detected.
Field Effect’s researchers managed to halt the attack before the Cloudflare tunnel could be used to deliver additional payloads like ransomware. However, the use of the Sliver framework and tunneling techniques highlighted a growing trend in ransomware campaigns. The tactics used in this attack were similar to those previously reported in Akira ransomware campaigns, though it remains unclear whether the attackers were linked to that specific group. The attack underscores the threat posed by vulnerable RMM software and the persistence of cybercriminals exploiting such flaws.
As the threat landscape evolves, cybersecurity experts warn that organizations exposed to these vulnerabilities need to act quickly by updating their RMM clients. The rise in these types of attacks emphasizes the need for robust defenses against both known and emerging threats. Additionally, the increasing use of RMM software in attack chains, such as with ScreenConnect being manipulated by threat actors, highlights the expanding scope of these vulnerabilities, urging companies to bolster their defenses against cyber threats more effectively.
