
SimpleHelp
Remote monitoring and management tool; CVEs 2024-57726/57728 used by DragonForce as ransomware initial access.
Last refreshed: 8 May 2026 · Appears in 1 active topic
How many MSP client networks are exposed when DragonForce gains control of a single SimpleHelp instance?
Timeline for SimpleHelp
Carried the SSO authentication-bypass flaw
Cybersecurity: Threats and Defences: Cisco tops a five-vendor KEV batchKB5091157, Gentlemen C2 intel, ENISA CNAs: in brief
Cybersecurity: Threats and DefencesIs SimpleHelp being used by ransomware groups in 2026?
What did NHS Digital warn about SimpleHelp?
How do attackers use SimpleHelp to get into company networks?
Background
SimpleHelp is a remote monitoring and management (RMM) software platform used by managed service providers and IT teams to remotely support end-user devices. In the U#3 reporting period, Arctic Wolf confirmed that DragonForce ransomware affiliates are exploiting CVE-2024-57726 and CVE-2024-57728 in SimpleHelp as an initial access vector for intrusions linked to The Gentlemen RaaS ecosystem.
CVE-2024-57726 and CVE-2024-57728 are authentication bypass and privilege escalation vulnerabilities respectively, disclosed in late 2024 and patched by SimpleHelp's developers. NHS Digital issued cyber alert CC-4623 in 2025 specifically warning about SimpleHelp exploitation, ahead of the May 2026 confirmation. The gap between NHS Digital's warning and confirmed ransomware use illustrates the lag between threat-intelligence advisories and actual mitigation in mid-market and SME environments that rely on MSPs for their IT support.
The abuse of legitimate RMM tools is a growing tactic: because RMM software is designed to have extensive remote access capabilities, attackers who gain control of an RMM instance can move laterally through every client network the MSP supports from a single compromised console. SimpleHelp is widely used in the UK SME and healthcare sectors, explaining NHS Digital's 2025 alert.