Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2024-57728 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2024-57728 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2024-57728 is a path traversal (zip slip) vulnerability in SimpleHelp's remote support server software that allows authenticated administrative users to write arbitrary files to any location on the underlying file system.

Technical Detail

The flaw exists in SimpleHelp's file upload functionality, where the server fails to sanitize archive entry paths within a crafted zip file. An attacker with admin-level access can upload a specially constructed zip archive containing path traversal sequences (e.g., "../../") that cause files to be written outside the intended directory to arbitrary locations on the host file system. By placing a malicious file in an executable path or overwriting a sensitive configuration file, the attacker can achieve remote code execution in the security context of the SimpleHelp server process.

Exploitation Status

The exploit is rated as Operational, meaning functional exploit code exists and has been demonstrated in practice beyond a proof-of-concept stage. CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on April 24, 2026.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Given that SimpleHelp is a remote support and access platform, exploitation of this vulnerability would be consistent with threat actors seeking persistent footholds in managed service provider environments or enterprise networks, but no named groups have been publicly attributed to active campaigns leveraging this CVE.

What To Do

Per CISA's Known Exploited Vulnerabilities catalog binding directive (BOD 22-01), federal civilian executive branch agencies are required to apply vendor-provided patches or mitigations by the deadline specified in the KEV entry. All organizations should treat this as a high-priority patch regardless of the CVSS score, which does not reflect the confirmed in-the-wild exploitation. Administrators should apply the latest available SimpleHelp update immediately, restrict administrative access to the SimpleHelp management interface to trusted IP ranges, and audit recent admin-level file upload activity for signs of zip slip exploitation. Monitor for unexpected files written outside standard SimpleHelp directories and review server process activity for anomalous child process execution.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →