What happened

CVE-2024-57728 is a Zip Slip-style path traversal in the SimpleHelp remote support server that affects versions 5.5.7 and earlier, enabling arbitrary file write and code execution as the SimpleHelp service user when a crafted archive is uploaded by an admin NVD Vendor advisory. The issue is being exploited in the wild, as confirmed by its inclusion in CISA’s Known Exploited Vulnerabilities catalog CISA KEV. The vulnerability entry and advisory track it under CVSS 7.2 with a high-impact, high-confidence vector, underscoring real operational risk to exposed SimpleHelp deployments NVD MITRE.

Why it matters

This flaw sits behind admin authentication but is trivial to weaponize once an attacker holds elevated access: CVSS reflects low attack complexity (AC:L), high required privileges (PR:H), and no user interaction (UI:N), with high confidentiality/integrity/availability impact (C:H/I:H/A:H) NVD. Admin panels get compromised routinely via credential reuse, phishing, or post-compromise lateral movement; paired with a simple archive payload, the write-what-where primitive turns into server-side code execution in one move NVD. Independent research has already detailed critical SimpleHelp weaknesses and exploitation approaches, which shortens the window from disclosure to weaponization for motivated actors Horizon3.ai. The CISA KEV listing elevates this from “patch when able” to “treat as an active intrusion vector now” CISA KEV.

Technical detail

• Vulnerability class: Zip Slip (archive extraction path traversal) allowing an authenticated admin to upload a ZIP containing file entries with directory traversal sequences (e.g., ../) that escape the intended extraction directory NVD Horizon3.ai.
• Affected scope: SimpleHelp server v5.5.7 and earlier, as documented by the vendor advisory and tracked in the CVE record Vendor advisory MITRE.
• Impact: Arbitrary file write anywhere on the file system, enabling arbitrary code execution on the host in the context of the SimpleHelp server user account (scope unchanged, S:U) NVD Vendor advisory.
• Preconditions: Attacker must authenticate as an administrative user to the SimpleHelp server; once authenticated, exploitation requires no further user interaction and is low complexity per the CVSS vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) NVD.
• Exploit shape: Upload a ZIP archive via the admin upload function whose entries contain traversal elements (e.g., ../../target), causing the extraction routine to write files outside the intended path. This is the canonical Zip Slip exploitation pattern described in public SimpleHelp research disclosures Horizon3.ai NVD.

The combination of high-privilege precondition and deterministic exploitation means that any theft or reuse of an admin credential can immediately translate to arbitrary file write and server takeover using a single crafted archive NVD CISA KEV.

Defense

• Patch/upgrade: Apply the vendor-provided fixes for SimpleHelp releases later than 5.5.7; the vendor documents the vulnerability and remediation guidance in its security notice. Prioritize patching for any internet-exposed servers Vendor advisory CISA KEV.
• Access control: Ensure only trusted administrators can reach the SimpleHelp admin interface; this vulnerability requires PR:H, and minimizing exposure of that surface reduces the blast radius of credential compromise NVD.
• Exploit detection: Hunt for evidence of archive entries containing traversal patterns (../) associated with admin-driven uploads to the server, as demonstrated in public research on SimpleHelp exploitation pathways Horizon3.ai.
• Incident response: Because this CVE is on the Known Exploited list, treat vulnerable instances as potential compromise candidates and validate integrity of server-side files following the vendor advisory’s guidance and the CVE impact description CISA KEV NVD.

Lyrie Verdict

CVE-2024-57728 is a deterministic admin-to-RCE via Zip Slip. Lyrie treats SimpleHelp servers as high-risk control planes. In practice: we auto-baseline the SimpleHelp service’s allowed write scope and flag any archive extraction that attempts to traverse beyond its install root; anomalous file writes by the SimpleHelp process to privileged paths trigger immediate containment at machine speed. The result: even if an attacker shows up with valid admin creds, the rogue archive never gets to rewrite the host.

References: NVD MITRE CISA KEV Vendor advisory Horizon3.ai