Skip to content
Briefings are running a touch slower this week while we rebuild the foundations.See roadmap
SimpleHelp
ProductGB

SimpleHelp

Remote monitoring and management tool; CVEs 2024-57726/57728 used by DragonForce as ransomware initial access.

Last refreshed: 8 May 2026 · Appears in 1 active topic

Key Question

How many MSP client networks are exposed when DragonForce gains control of a single SimpleHelp instance?

Timeline for SimpleHelp

#319 Apr

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

Cybersecurity: Threats and Defences
View full timeline →
Follow Cybersecurity: Threats and Defences
Common Questions
Is SimpleHelp being used by ransomware groups in 2026?
Yes. Arctic Wolf confirmed DragonForce ransomware affiliates are exploiting CVE-2024-57726 and CVE-2024-57728 in SimpleHelp as an initial access vector for The Gentlemen RaaS operations in 2026.Source: Arctic Wolf
What did NHS Digital warn about SimpleHelp?
NHS Digital issued cyber alert CC-4623 in 2025 warning about exploitation of SimpleHelp, ahead of the May 2026 confirmation by Arctic Wolf that DragonForce was actively using the tool as an initial access vector.Source: NHS Digital
How do attackers use SimpleHelp to get into company networks?
Attackers exploit authentication bypass (CVE-2024-57726) and privilege escalation (CVE-2024-57728) vulnerabilities to gain control of SimpleHelp server instances. From there, they can remotely access every device that the MSP manages through that SimpleHelp deployment.Source: Arctic Wolf

Background

SimpleHelp is a remote monitoring and management (RMM) software platform used by managed service providers and IT teams to remotely support end-user devices. In the U#3 reporting period, Arctic Wolf confirmed that DragonForce ransomware affiliates are exploiting CVE-2024-57726 and CVE-2024-57728 in SimpleHelp as an initial access vector for intrusions linked to The Gentlemen RaaS ecosystem.

CVE-2024-57726 and CVE-2024-57728 are authentication bypass and privilege escalation vulnerabilities respectively, disclosed in late 2024 and patched by SimpleHelp's developers. NHS Digital issued cyber alert CC-4623 in 2025 specifically warning about SimpleHelp exploitation, ahead of the May 2026 confirmation. The gap between NHS Digital's warning and confirmed ransomware use illustrates the lag between threat-intelligence advisories and actual mitigation in mid-market and SME environments that rely on MSPs for their IT support.

The abuse of legitimate RMM tools is a growing tactic: because RMM software is designed to have extensive remote access capabilities, attackers who gain control of an RMM instance can move laterally through every client network the MSP supports from a single compromised console. SimpleHelp is widely used in the UK SME and healthcare sectors, explaining NHS Digital's 2025 alert.

Source Material
SimpleHelp — official website