CVE-2024-57727

HIGH KEV RANSOMWARE NUCLEI

SimpleHelp Path Traversal Vulnerability CVE-2024-57727

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2024-57727 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 13, 2025, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including iSee857, imjdl, horizon3ai, imjdl, jheysel-r7, including a Metasploit module auxiliary/scanner/http/simplehelp_toolbox_path_traversal. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2026-22812, targeting OpenCode with a command execution vulnerability via session manipulation. The script includes multi-threaded scanning and payload delivery to achieve RCE.

Description

SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files include server configuration files containing various secrets and hashed user passwords.

Exploits (3)

github WORKING POC 40 stars
by iSee857 · pythonpoc
https://github.com/iSee857/CVE-PoC/tree/main/SimpleHelp(CVE-2024-57727).py

The repository contains a functional exploit for CVE-2026-22812, targeting OpenCode with a command execution vulnerability via session manipulation. The script includes multi-threaded scanning and payload delivery to achieve RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenCode (version unspecified)
No auth needed
Prerequisites: network access to target · OpenCode service exposed
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 14 stars
by imjdl · infoleak
https://github.com/imjdl/CVE-2024-57727

This PoC exploits a path traversal vulnerability (CVE-2024-57727) by sending a crafted GET request to retrieve the server's configuration file. The script checks for the presence of a specific string in the response to confirm vulnerability.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: SimpleHelp Server (version not specified)
No auth needed
Prerequisites: Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by horizon3ai, imjdl, jheysel-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/simplehelp_toolbox_path_traversal.rb

This Metasploit module exploits a path traversal vulnerability in SimpleHelp's /toolbox-resource endpoint, allowing unauthenticated attackers to download arbitrary files from the server. It includes version checking and file retrieval functionality.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: SimpleHelp versions 5.5.0-5.5.7, 5.4.0-5.4.9, 5.3.0-5.3.8
No auth needed
Prerequisites: Network access to the target SimpleHelp server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

SimpleHelp <= 5.5.7 - Unauthenticated Path Traversal
HIGHVERIFIEDby iamnoooob,rootxharsh,pdresearch,3th1cyuk1
Shodan: html:"SimpleHelp"

References (3)

Core 3

Scores

CVSS v3 7.5
EPSS 0.9405
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-02-13
VulnCheck KEV 2025-01-31
ENISA EUVD EUVD-2024-53725
Ransomware Use Confirmed
CWE
CWE-22
Status published
Products (1)
simple-help/simplehelp < 5.5.8
Published Jan 15, 2025
KEV Added Feb 13, 2025
Tracked Since Feb 18, 2026