Skip to content

SimpleHelp flaw lets ransomware hit utility billing software customers, CISA warns

  • by
  • 2 min read

Illustration: JMiks | Shutterstock

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning companies of a ransomware attack on an unnamed utility billing software provider. The attack exploited an unpatched version of SimpleHelp’s remote monitoring and management (RMM) tool.

According to CISA, this isn’t an isolated incident. The report claims that “this incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025.” SimpleHelp had patched its software in a January update, but versions older than 5.5.7 remain vulnerable to CVE-2024-57727 and several other vulnerabilities.

In this case, ransomware operators exploited CVE-2024-57727, a path traversal vulnerability, to access outdated versions run by SimpleHelp customers. Exploitation has led to disrupted services and double extortion compromises.

This is an image of ransomware 3299fkl

This isn’t the first time this vulnerability has been exploited, and CISA isn’t the only authority that has issued warnings about it either. The CISA, the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) had issued a warning on June 4 against the Play ransomware group, which was caught exploiting the same SimpleHelp security vulnerability in double extortion attacks.

For breached companies, CISA’s latest advisory suggests using SimpleHelp’s remote access tools to look for any evidence of compromise and update to the latest version of the software as soon as possible. As for the breaches, Candid.Technology hasn’t seen any major ransomware groups claiming new attacks that might be related to the advisory at the time of writing.

That said, ransomware negotiations usually take a few weeks before the targeted company or the ransomware group end up publicly revealing the attack, so it might just be a matter of time before this or more victims come to light. Since these cases also usually involve data theft, a sale attempt can also be made on underground hacking forums.

In the News: Graphite spyware found targeting European journalists

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of tik tok 39239

Ireland launches fresh investigation into TikTok over data transfer to Chinese servers

Illustration: jmiks | shutterstock

British NCA arrest four for hacking M&S, Co-op, and Harrods

A mcdonald's sign on a pole.

McDonald’s AI bot leaks job applicants’ data

This is an image of dprk north korea flag

US sanctions North Korean hacker for running fraud IT worker scheme

This is an image of ransomware 32988sd

M&S confirms April cyberattack was ransomware

This is an image of macbook pro featured 123

Novel North Korean macOS malware found targeting Web3, crypto platforms

>