For the past week, threat actors have been observed targeting devices running SimpleHelp remote management software for initial access, Arctic Wolf reports.

The attacks started roughly a week after SimpleHelp released patches for three vulnerabilities in its remote access solutions that could allow attackers to fully compromise the server and client machines.

The three flaws, tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, could allow attackers to retrieve logs and configuration files and extract credentials, log in as administrators or technicians to upload arbitrary files and execute arbitrary code, and elevate their privileges to those of an administrator.

Missing authorization checks in certain administrator functions could allow a user with a technician role to gain administrative privileges and take over the SimpleHelp server, and then interact with client machines.

“If a threat actor chains these vulnerabilities together and gains administrative access to a SimpleHelp server, they could theoretically use it to compromise devices running the SimpleHelp client software,” Arctic Wolf notes.

The cybersecurity firm has observed threat actors accessing devices through an unapproved SimpleHelp server instance, and leveraging the session to enumerate accounts and domain information via command prompt.

According to Arctic Wolf, the SimpleHelp process had already been running on the targeted devices prior to the compromise, but the remote access session was terminated before the attack progressed further.

“While it is not confirmed that the recently disclosed vulnerabilities are responsible for the observed campaign, Arctic Wolf strongly recommends upgrading to the latest available fixed versions of the SimpleHelp server software where possible,” the cybersecurity firm notes.

On Monday, the Shadowserver Foundation said it started tracking SimpleHelp instances impacted by CVE-2024-57727 and identified roughly 580 of them. As of January 28, at least a dozen of them have been patched, data from Shadowserver shows.

Related: Apple Patches First Exploited iOS Zero-Day of 2025

Related: Cisco Patches Critical Vulnerability in Meeting Management

Related: Resurrected jQuery UI Library Haunts Websites, Enterprise Products

Related: ‘JekyllBot:5’ Vulnerabilities Allow Remote Hacking of Hospital Robots