CVE-2024-57727 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

SimpleHelp Path Traversal Vulnerability

Exploit added

February 13, 2025

Action due

March 6, 2025

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files include server configuration files containing various secrets and hashed user passwords.

References

https://simple-help.com/kb—security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier
https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/

Weakness Enumeration

CWE-ID	CWE Name
CWE-22	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Details

Source:
NVD

Published:
January 15, 2025

Updated:
February 14, 2025

Risk information

CVSS v3

Base score:
7.5

Severity:

HIGH

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2

Not defined