CVE-2024-57728: SimpleHelp Path Traversal Lets Admins Upload

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-57728 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation of a path traversal flaw in SimpleHelp remote support software. The vulnerability, a zip slip-style arbitrary file upload, allows an authenticated admin user to write files anywhere on the host filesystem via a crafted zip archive. This can be chained to remote code execution (RCE) in the context of the SimpleHelp server process. CISA mandates that federal agencies apply mitigations per vendor instructions or discontinue use of the product by May 8, 2026. All SimpleHelp deployments—including those in non-federal enterprises—should treat this as an active threat.

Technical Analysis

CVE-2024-57728 resides in SimpleHelp's file upload functionality. The software accepts compressed zip archives from admin users during normal remote support operations. A path traversal vulnerability—commonly referred to as "zip slip"—occurs when the archive extraction logic does not properly sanitize file paths embedded within the zip entries. By crafting an archive containing entries with relative path components (e.g., ../../outside/authorized/path), an attacker with admin privileges can place files outside the intended extraction directory.

Because the SimpleHelp server process typically runs with sufficient privileges to serve the application, the arbitrary file write can be leveraged to overwrite executable binaries, configuration files, or scripts that the server loads at startup or during operation. This enables code execution without requiring additional authentication or user interaction beyond the initial admin-level access.

The vulnerability is cataloged by CISA with a required remediation date of May 8, 2026. NVD lists the issue at CVSS 7.2, which maps to high severity. The risk is still urgent because KEV inclusion means exploitation has been observed in the wild; the active-exploitation signal should drive patch priority even though the CVSS rating is below the critical threshold.

Mitigations & Recommendations

CISA's BOD 22-01 directive requires all U.S. federal civilian executive branch agencies to remediate KEV-listed vulnerabilities by the specified due date. For CVE-2024-57728, the deadline is May 8, 2026. Agencies that cannot apply vendor-supplied mitigations must discontinue use of SimpleHelp.

For non-federal organizations running SimpleHelp, the following steps are recommended:

• Apply vendor patches immediately. Contact SimpleHelp support or check the vendor's security advisory for the specific version that addresses the zip slip flaw.
• Restrict admin access. Since exploitation requires admin-level authentication, limit the number of users with administrative privileges. Enforce multi-factor authentication (MFA) for all admin accounts.
• Monitor file system changes. Deploy file integrity monitoring (FIM) on SimpleHelp server hosts to detect unexpected file writes outside expected application directories.
• Segment SimpleHelp servers. Place the server in a restricted network segment with minimal egress access. Do not expose the SimpleHelp admin interface to the internet unless absolutely necessary, and use VPN or bastion hosts for admin access.
• Review logs. Audit SimpleHelp server logs for zip uploads that contain path traversal patterns. Look for file writes to system directories such as /etc, /usr/bin, or C:\Windows\System32.

No public proof-of-concept exploit code has been confirmed at the time of publication, but CISA's KEV inclusion indicates that real-world exploitation is occurring. Defenders should not wait for a PoC to act.