The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with its federal partners, has issued a high-priority alert (AA25-163A) detailing how ransomware actors have exploited unpatched instances of SimpleHelp Remote Monitoring and Management (RMM) software to breach a utility billing software provider, impacting its downstream customer base.
βThis incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025,β the advisory states.
At the center of this campaign is CVE-2024-57727, a path traversal vulnerability affecting SimpleHelp versions 5.5.7 and earlier. CISA added the CVE to its Known Exploited Vulnerabilities (KEV) Catalog in February 2025, emphasizing its confirmed exploitation in the wild.
βRansomware actors likely leveraged CVE-2024-57727 to access downstream customersβ unpatched SimpleHelp RMM for disruption of services in double extortion compromises,β the report reveals.
The attack underscores the increasing threat to software supply chains, particularly when third-party vendors embed insecure RMM tools like SimpleHelp into their products. Organizations relying on affected vendors may be unknowingly exposed to high-risk remote access vulnerabilities.
CISA strongly urges affected entities to take the following steps:
For Third-Party Vendors:
Immediately upgrade SimpleHelp to the latest version.Isolate or shut down vulnerable SimpleHelp servers.Notify downstream customers and recommend urgent endpoint threat hunting.For Downstream Customers:
Identify SimpleHelp version and services on systems.Hunt for signs of compromise, such as suspicious executables (e.g., aaa.exe, bbb.exe) created after January 2025.Monitor outbound/inbound traffic for anomalies.Upgrade or remove unpatched RMM components.βEven if there is no evidence of compromise, users should immediately upgrade to the latest SimpleHelp version,β the advisory stresses.
Organizations hit by ransomware are advised to:
Disconnect compromised systems immediately.Wipe and reinstall using clean media.Restore from secure, offline backups.Report the incident to CISA, the FBIβs IC3, or local field offices.βCISA and FBI do not encourage paying ransom as payment does not guarantee victim files will be recovered,β the advisory concludes.