Unpatched SimpleHelp Vulnerabilities Continue to be Exploited by DragonForce

CISA issued an advisory warning that ransomware actors have been exploiting unpatched versions of SimpleHelp Remote Monitoring and Management (RMM) software, particularly version 5.5.7 and earlier, since January 2025.  

These versions contain known vulnerabilities, including CVE-2024-57727, which attackers are likely using to infiltrate downstream customer networks and carry out double extortion ransomware attacks, Infosecurity Magazine reports.

CISA urges software vendors, downstream customers, and end users to immediately determine if they are affected and apply mitigation steps. Vendors embedding SimpleHelp or relying on it through third-party providers should identify the version in use and, if it's outdated, isolate or shut down the instance, update to the latest version, and notify affected customers.

Downstream customers and end users are advised to check for SimpleHelp installations at specified paths depending on the operating system—Windows, Linux, or macOS. If the software is found, its version should be verified via an HTTP query.  

Systems running version 5.5.7 or earlier should undergo threat hunting for signs of compromise and traffic anomalies. If no compromise is found, an immediate upgrade or workaround should still be implemented to secure the environment and prevent future exploitation.

Takeaway: Patch management isn’t just a best practice anymore, it’s a survival tactic. The window between vulnerability disclosure and exploitation is closing fast, and every org needs to stop treating patching like a quarterly housekeeping chore.  

Unpatched remote access and management tools are the lowest-hanging fruit of the ransomware world, and SimpleHelp is just the latest example. Unpatched versions are being exploited in multiple attacks by DragonForce in much the same way Cl0p leveraged MOVEit and GoAnywhere bugs in campaigns.

Same strategy, different unpatched software vulnerabilities. Threat actors are taking advantage of the fact that too many orgs still can’t patch fast enough. What’s wild is how predictable this has become. Threat actors aren’t doing anything particularly novel here, they’re just doing it faster.  

Mean-time-to-exploitation used to be measured in weeks. Now, it’s down to days. In some cases, hours. Once a CVE drops, there’s a mad dash to weaponize it before defenders even finish their morning coffee.  

SimpleHelp 5.5.7 and earlier has been sitting wide open for abuse, and DragonForce didn’t hesitate. If you’re a downstream customer or embedded vendor still running this software unpatched, you’re not a target, you’re already compromised and just haven’t figured it out yet.

Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.