SimpleHelp Flaws Are Being Actively Exploited — Federal Deadline Just Passed

Yesterday was CISA’s federal patch deadline for two critical SimpleHelp remote-support flaws (CVE-2024-57726 and CVE-2024-57728), both now sitting in the agency’s Known Exploited Vulnerabilities catalogue. As reported by The Hacker News, attackers are chaining the two: the first lets a low-privileged technician account create API keys with admin-level scope, the second uses a “zip slip” path traversal to drop files anywhere on the host. A Samsung MagicINFO 9 Server flaw (CVE-2024-7399) and a D-Link DIR-823X command injection were added in the same advisory.

If your business — or your IT provider — uses SimpleHelp for remote support, this matters. The tool sits quietly inside a lot of Australian SMB environments because it’s lightweight, easy to deploy, and popular with smaller MSPs. CISA’s deadline only formally binds US federal agencies, but the underlying message applies to everyone: this is being exploited in the wild right now. Sitting on it is a real exposure under the Privacy Act’s notifiable data breach scheme if it leads to a compromise.

What to do today:

• Confirm whether SimpleHelp Server or its agent is installed anywhere in your environment — including any remote tools your IT provider runs on your behalf.
• If it’s there, get the server onto the latest patched build and rotate technician credentials.
• For Samsung MagicINFO digital signage and D-Link DIR-823X routers, apply the vendor fixes now or take the management interfaces off the public internet.

Not sure what your provider runs? Ask directly — and ask whether they’ve applied this patch. If you’d like an independent check of your remote-support stack and what it’s exposing, the All IT team can help with that.