Detect SimpleHelp RMM Vulnerability Exploitation: CISA Warns of Threat Actors Abusing Unpatched Flaws for Persistent Access and Ransomware Deployment

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert notifying about ransomware actors abusing unpatched vulnerabilities in SimpleHelp’s Remote Monitoring and Management (RMM) software—a tactic increasingly used to compromise organizations since early 2025. 

With over 21,000 new CVEs already logged by NIST this year, cybersecurity teams are under growing pressure to stay ahead. Vulnerability exploitation remains the leading attack vector, particularly for ransomware groups. A recent incident highlighted by CISA underscores this trend: attackers leveraged flaws (CVE-2024-57726, CVE-2024-57727, CVE-2024-57728) in SimpleHelp RMM to deploy DragonForce ransomware and exfiltrate sensitive data, using double extortion tactics to maximize impact.

Detect SimpleHelp RMM Vulnerabilities Exploitation for Ransomware Distribution

According to Sophos, the average ransomware recovery cost soared to $2.73 million in 2024—an enormous 500% increase from the previous year. With ransomware actors frequently exploiting software vulnerabilities (projected to exceed 49,000 by the end of 2025), this sharp rise underscores the growing financial impact of cyberattacks and the urgent need for proactive defense strategies. To stay ahead of threats like those leveraging SimpleHelp RMM flaws, cyber defenders need timely, reliable threat intelligence and actionable detection content to outpace attackers at every step.

Register for the SOC Prime Platform to access a dedicated collection of Sigma rules addressing the exploitation of SimpleHelp RMM vulnerabilities for ransomware distribution. Curated detection content is backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Just hit the Explore Detections button below and immediately drill down to a relevant content stack.

Explore Detections

Security professionals can also explore the broader collection of detection rules for vulnerability exploitation by searching with the broader “CVE” tag, or apply the “Ransomware” tag to access a set of detection rules covering ransomware attacks worldwide.

All the rules in the SOC Prime Platform are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. Additionally, every rule is packed with detailed metadata, including threat intel references, attack timelines, triage recommendations, and more.

On top of it, security experts might streamline threat investigation using Uncoder AI – a private IDE & co-pilot for threat-informed detection engineering. Generate detection algorithms from raw threat reports, enable fast IOC sweeps into performance-optimized queries, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages.

Exploiting SimpleHelp Software: What’s Behind the Attack

Sophos recently investigated a targeted attack involving an MSP, in which adversaries compromised the provider’s SimpleHelp RMM tool at the initial attack stage. Attackers further deployed DragonForce ransomware across multiple systems and stole sensitive data, executing a double extortion strategy to pressure victims into paying.

Sophos states that the attackers leveraged a vulnerability chain, which includes CVE-2024-57727, multiple path traversal flaws, CVE-2024-57728, an arbitrary file upload vulnerability, and CVE-2024-57726, a privilege escalation flaw. 

DragonForce is a sophisticated RaaS operation that surfaced in mid-2023. According to researchers, the group began rebranding in March 2025 as a “cartel,” shifting to a distributed affiliate model to attract a broader range of threat actors. This repositioning has significantly raised the group’s profile. DragonForce recently asserted control over infrastructure formerly associated with RansomHub, and is now reportedly being used by high-profile ransomware maintainers, including Scattered Spider (UNC3944). This group, previously associated with RansomHub, has been linked to attacks on major retail chains in both the UK and the US using the DragonForce ransomware payload.

Sophos uncovered the campaign after detecting a suspicious SimpleHelp installer, deployed via the MSP’s legitimate RMM instance. Attackers gained access via the targeted RMM to gather data across diverse customer environments. One MSP client was able to block the ransomware and data theft. However, other clients were impacted by both ransomware deployment and data exfiltration. 

On June 12, 2025, CISA issued an advisory in response to ransomware actors exploiting unpatched vulnerabilities in SimpleHelp RMM software to breach the customers of a utility billing provider. DragonForce hackers likely weaponized CVE-2024-57727 to target unpatched SimpleHelp RMM entities for disruption of services and double extortion attacks.

SimpleHelp versions 5.5.7 and earlier contain multiple security flaws, including the above-mentioned CVE-2024-57727. Notably, CISA added CVE-2024-57727 to its KEV Catalog on February 13, 2025.

CISA strongly recommends promptly applying the mitigation measures against potential ransomware attacks weaponizing SimpleHelp RMM software due to confirmed compromises or significant risk of exploitation. If SimpleHelp is embedded in vendor software or used by a third-party provider, defenders recommend identifying the server version in the serverconfig.xml file. If version 5.5.7 or earlier has been used since January 2025, vendors should isolate or shut down the SimpleHelp server, promptly update to the latest version per SimpleHelp’s security advisory, notify downstream customers, and advise them to secure endpoints and initiate threat hunting. In addition, mitigation measures include maintaining an up-to-date asset inventory and ensuring regular system backups to offline, disconnected storage devices, continuously assessing the risks associated with RMM software, and verifying the security controls implemented by third-party providers.

Defenders have deemed this attack targeting SimpleHelp RMM instances especially dangerous due to its focus on utility billing software providers, which act as critical links between infrastructure operators and end users. The use of double extortion tactics against these high-value intermediaries highlights the advanced nature of the campaign and the pressing need for proactive, multilayered cybersecurity measures. By relying on SOC Prime’s complete product suite backed by AI, automation, and live threat intel, organizations can proactively identify any sophisticated threats and preempt attacks at their earliest stages.