What happened

CISA added CVE-2024-57728 to its Known Exploited Vulnerabilities (KEV) catalog on 2026-04-24, signaling active exploitation in the wild CISA KEV. The entry covers a SimpleHelp server flaw tracked as a path traversal (CWE-22) “zip slip” issue that enables arbitrary file writes and code execution NVD entry. The CVE record is published and maintained by the CVE Program under CVE-2024-57728 MITRE CVE.

Per the KEV entry, federal agencies must remediate or apply mitigations by 2026-05-08 under CISA’s required action guidance CISA KEV. The specific risk: an authenticated administrator can upload a crafted ZIP archive to the SimpleHelp server and force writes outside the intended extraction path, leading to arbitrary file placement and subsequent code execution under the SimpleHelp service account NVD entry.

Why it matters

Inclusion in KEV means this vulnerability is being used by attackers now, not just theoretically CISA KEV. The flaw enables an admin to perform path traversal via a malicious ZIP (“zip slip”) and place files anywhere on the file system NVD entry. When those files are executable or loaded by the application, the attacker can achieve arbitrary code execution as the SimpleHelp server user, expanding the blast radius on that host NVD entry.

Because exploitation is possible through the product’s own upload/extract workflow, once an adversary controls or coerces an administrative session, execution becomes a low-friction, server-side action NVD entry. That makes this a high-priority fix for any environment operating SimpleHelp, especially in support or remote-access roles where the service user often touches sensitive systems CISA KEV.

Technical detail

CVE-2024-57728 is categorized as a path traversal (CWE-22) that manifests during ZIP archive handling (“zip slip”) NVD entry. The vulnerable flow allows an authenticated SimpleHelp administrator to upload a crafted ZIP whose entries contain traversal sequences (e.g., ../), causing extraction routines to write files outside the intended directory NVD entry. As described in the CVE record, this arbitrary file write primitive permits planting attacker-controlled files anywhere reachable by the server process MITRE CVE.

The impact extends to code execution when the placed files are executed or interpreted by the host in the context of the SimpleHelp server user NVD entry. The KEV listing confirms that adversaries are actively exploiting this condition, which elevates urgency beyond normal patch cycles CISA KEV. Key constraints and properties based on the record:

• Threat model requires an authenticated admin to upload the malicious archive (not a pre-auth remote exploit) NVD entry.
• Primitive is arbitrary file write via traversal during unzip, consistent with CWE-22 classification NVD entry.
• Resulting execution runs as the SimpleHelp server user, inheriting that account’s privileges on the host NVD entry.

Defense

CISA mandates remediation or mitigations by 2026-05-08: apply vendor fixes, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations aren’t available CISA KEV. Prioritize patching for all instances of SimpleHelp covered by CVE-2024-57728 and confirm removal of the vulnerable ZIP extraction path NVD entry.

Interim hardening and detection moves:

• Lock down who can reach the admin interface; only trusted networks and strong authentication should access admin sessions that could trigger archive imports CISA KEV.
• Increase scrutiny on archive handling; if operationally feasible, suspend or tightly control ZIP-based import/restore features until patched NVD entry.
• Monitor for indicators aligned to arbitrary file writes: unexpected file creation outside application data paths by the SimpleHelp server user following an admin ZIP upload event NVD entry.
• Hunt for post-write execution: processes spawned by the SimpleHelp service account that load newly created binaries/scripts shortly after archive extraction NVD entry.

Document and retain evidence if exploitation is suspected; KEV inclusion indicates real-world abuse, so treat anomalies as potentially malicious until proven otherwise CISA KEV. Validate remediation by reproducing safe archive operations and confirming that traversal sequences are neutralized by the updated extraction logic MITRE CVE.

Lyrie Verdict

This is a classic archive-based path traversal with live abuse pressure, and it rewards speed CISA KEV. Lyrie prioritizes autonomous, machine-speed detection on the exact behaviors that matter here: traversal-on-extract patterns and immediate post-extract execution under the SimpleHelp service user NVD entry. We flag file writes outside expected directories during ZIP handling, correlate to admin-session activity, and escalate when that sequence culminates in process starts tied to the dropped artifacts NVD entry. For a vuln already in KEV, waiting for human triage is how you lose ground; we let defenders cut the dwell time to seconds by automating the telltale sequence end-to-end CISA KEV.