Ransomware Actors Exploit Unpa... Note

Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing an advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. Ransomware actors have been targeting organizations through unpatched versions of SimpleHelp RMM since January 2025. SimpleHelp versions 5.5.7 and earlier contain several vulnerabilities, including CVE-2024-57727, which is a path traversal vulnerability. CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities (KEV) Catalog on February 13, 2025. CISA urges software vendors, downstream customers, and end users to immediately implement the recommended mitigations based on confirmed compromise or risk of compromise. The mitigations include isolating the SimpleHelp server instance from the internet or stopping the server process, upgrading to the latest SimpleHelp version, and conducting threat hunting actions for evidence of compromise. CISA also recommends implementing proactive mitigations to reduce risk, such as maintaining a robust asset inventory, conducting daily system backups, and establishing open communication channels with third-party vendors. If a system has been encrypted by ransomware, CISA recommends disconnecting the affected system from the internet, reinstalling the operating system, and wiping the system and restoring data from a clean backup.