CVE-2024-57728

Analyzed
Published: 15 Jan 2025, 00:00
Last modified:25 Apr 2026, 03:55

Vulnerability Summary

Overall Risk (default)
medium
29/100
CVSS Score
7.2 HIGH
v3.1 (cve.org)
EPSS Score
1.17% LOW
1% probability +0.01%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

15 Jan 2025, 00:00
Published
Vulnerability first disclosed
24 Apr 2026, 00:00
Added to CISA KEV
SimpleHelp Path Traversal Vulnerability
25 Apr 2026, 03:55
Last Modified
Vulnerability information updated
08 May 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

SimpleHelp remote support software v5.5.7 and before allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.

CVSS Metrics

  • v3.1HIGHScore: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 1.17% Percentile: 79%

Techniques & Countermeasures

  • CWE-59Improper Link Resolution Before File Access ('Link Following')

    The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

  • CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Systems

  • simple-helpsimplehelp

    < 5.5.8

References (5)