US Public Data LabU.S. public data, made readable
EN
日本語 English
Critical Known exploited (KEV) Ransomware use CVE-2024-57726

Missing Authorization in SimpleHelp Could Allow Privilege Escalation to Server Admin (CVE-2024-57726)

SimpleHelp SimpleHelp Added to KEV Apr 24, 2026 Federal remediation due 2026-05-08

The remote support/RMM tool SimpleHelp has a missing-authorization flaw that lets a low-privilege technician create an overly privileged API key and escalate to server administrator. It is listed in CISA's Known Exploited Vulnerabilities catalog and has been used in ransomware campaigns.

Key facts

  • CVE IDCVE-2024-57726
  • CVSS base score9.9 CRITICAL
  • CVSS vectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Affected (vendor / product)SimpleHelp SimpleHelp
  • CWECWE-862
  • ExploitationListed in CISA KEV (exploitation confirmed); also confirmed used in ransomware
  • Remediation due2026-05-08 (U.S. federal civilian agencies, BOD 22-01)

Key points

  • Affects SimpleHelp's remote support / RMM product SimpleHelp (CVE-2024-57726).
  • The weakness type is Missing Authorization.
  • A low-privilege technician can create an overly privileged API key and escalate to server administrator.
  • Added to CISA KEV on 2026-04-24, confirmed in ransomware use (remediation due 2026-05-08).
  • Official NVD CVSS score is 9.9 (CRITICAL).

SimpleHelp is a remote support / RMM (Remote Monitoring and Management) tool that lets technicians connect to users' devices to provide support and manage operations. RMM refers to managing and operating many endpoints from a single console. Because such tools concentrate strong control over a large number of devices, a compromise of their administrative functions can spread quickly to the customer and internal endpoints they reach.

This flaw is a missing authorization issue: an action that should be permitted only after a proper permission check can be carried out without sufficient verification. Specifically, a low-privilege technician can create an overly privileged API key (the secret string a program uses to access a service) and use it to escalate to server administrator (server admin) privileges. The ability to be promoted from a low role to an administrator role is what makes this issue serious.

CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on 2026-04-24 and identifies it as confirmed in ransomware use. Under Binding Operational Directive (BOD) 22-01, U.S. federal agencies are directed to remediate by 2026-05-08. The indicated response is to apply mitigations per the vendor's instructions and, if mitigations are not possible, to discontinue use of the product. Known exploitation of a foundational tool like RMM tends to be targeted as a foothold for intrusion, making this a matter to treat with the highest priority.

Why it matters

Because RMM is a foundational layer that ties together many internal and external endpoints, takeover of administrative privileges can spread broadly, and confirmed ransomware use makes the potential impact on business continuity substantial. With a CISA KEV listing and a stated remediation deadline, organizations using the affected product should prioritize review and response.

FAQ

Why is a vulnerability in an RMM tool significant?
RMM (remote monitoring and management) tools hold strong, centralized control over many endpoints, so if their administrative functions are compromised, the impact can cascade across the customer and internal devices they reach.
What does 'missing authorization' mean?
It is a flaw where an action that should be allowed only after checking the user's permissions can be performed without sufficient verification. Here it appears as a low-privilege technician being able to create an overly privileged API key.
What response is required?
Apply mitigations according to the vendor's instructions and, if mitigation is not possible, discontinue use. Under BOD 22-01, U.S. federal agencies are directed to remediate by 2026-05-08.

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

#CISA KEV#SimpleHelp#RMM#missing authorization#privilege escalation#ransomware#CVE-2024-57726

← Back to vulnerability alerts

Disclaimer: This site independently summarizes and classifies information based on official data sources. Always verify the latest and accurate information with the official sources. Content on finance, health, legal, and security is information, not advice. This site is not an official website of the U.S. government.