CISA has added two SimpleHelp remote monitoring and management vulnerabilities — CVE-2024-57726 and CVE-2024-57728 — to its Known Exploited Vulnerabilities catalog on 24 April. US federal agencies have until 8 May to patch. Anyone running an unpatched SimpleHelp server should be moving today, not next week.

The two flaws — a missing-authorisation bug (CVSS 9.9) and a path traversal flaw — can be chained to take over the SimpleHelp server, then pivot into every endpoint that server manages. As reported by The Hacker News, ransomware crews including DragonForce and Medusa have been using these bugs as initial access into managed service providers and their downstream customers.

For Australian SMBs, this matters even if you’ve never heard of SimpleHelp. If your IT provider — or any vendor with remote access into your environment — is running it, an unpatched server is a back door into your systems. The 2025 Notifiable Data Breaches reporting under the Privacy Act treats compromise via a third-party tool the same as a direct breach: you still own the obligation to notify affected individuals.

What to do this week: ask your IT provider, in writing, whether they use SimpleHelp anywhere in their delivery stack. If yes, confirm they’re on version 5.5.8 or later, that the management portal isn’t exposed to the public internet, and that they’ve reviewed audit logs for unusual API key creation. If you run your own SimpleHelp instance, upgrade now and rotate any technician credentials and API keys created before the patch.

If you’d like a second set of eyes on which vendors hold remote access into your environment, All IT Services’ cybersecurity team can help you map third-party access and tighten the controls around it.