The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding two actively exploited vulnerabilities in SimpleHelp remote support software, officially adding them to its Known Exploited Vulnerabilities (KEV) catalog on April 24, 2026. Federal agencies and private organizations have until May 8, 2026 to apply mitigations or discontinue use of the affected product.
Why Remote Access Tools Are High-Value Targets
Remote access platforms like SimpleHelp are prime targets for cybercriminals because they provide direct, trusted pathways into corporate networks. When compromised, these platforms allow threat actors to bypass traditional security perimeters, pivot laterally, and launch devastating secondary attacks including ransomware deployment. The addition of these flaws to CISA’s KEV catalog confirms that real-world exploitation is already underway.
Vulnerability 1: Missing Authorization Flaw (CVE-2024-57726)
The first vulnerability is classified under CWE-862 (Missing Authorization). This security gap fundamentally breaks the role-based access controls within the SimpleHelp platform. The flaw allows low-privileged technicians to bypass intended restrictions and generate API keys with excessive permissions.
By exploiting this weakness, an attacker with a compromised low-level account can escalate privileges all the way to the server administrator role — gaining complete administrative control over the remote support environment and all connected client machines. This is a critical chaining vulnerability: an attacker who starts with any valid technician account can immediately use this flaw to elevate to full control.
Vulnerability 2: Path Traversal (CVE-2024-57728)
The second vulnerability is a dangerous path traversal flaw linked to CWE-22, often referred to as a “zip slip” attack. This exploit allows an authenticated administrator to upload specially crafted zip files to arbitrary locations on the underlying file system.
The chaining mechanism is straightforward and devastating: an attacker first exploits CVE-2024-57726 to gain administrator access, then uses CVE-2024-57728 to upload a malicious payload anywhere on the server’s filesystem. Once deployed, the payload can execute arbitrary code within the security context of the SimpleHelp process, providing a solid foothold for lateral movement across the entire network.
Active Exploitation Confirmed
CISA’s addition to the KEV catalog confirms that both vulnerabilities are being actively exploited in the wild. While it is currently unknown whether ransomware gangs are specifically leveraging these exploits, the threat class — remote access tool compromise — is consistently associated with ransomware precursor activity. Security teams should treat this as an imminent threat rather than a theoretical risk.
Required Actions and Deadlines
System administrators using SimpleHelp must take the following immediate actions:
- Apply all available mitigations and software updates provided in the official SimpleHelp vendor instructions without delay.
- Follow BOD 22-01 guidance for securing connected cloud services and external infrastructure.
- Monitor network logs for unusual API key generation or suspicious file uploads originating from the SimpleHelp server.
- Discontinue use of the product entirely and disconnect it from the network if mitigations or updates are unavailable.
- Review all API keys generated during the exposure window and revoke any that cannot be verified as legitimate.
Broader Implications for Remote Support Software
This incident adds to a growing list of remote access and support tools being weaponized by attackers. Organizations relying on remote support platforms should conduct an immediate audit of their access control configurations, review which accounts hold technician or administrator roles, and ensure multi-factor authentication is enforced across all privileged accounts. The combination of a privilege escalation flaw with a file write vulnerability represents a particularly dangerous attack chain that can result in full server compromise with minimal initial access.