Which vulnerabilities were exploited in the SimpleHelp attack?

Sophos researchers have medium confidence that the attack exploited a chain of three critical vulnerabilities in SimpleHelp disclosed in January 2025: CVE-2024-57727 (CVSS 7.5) for multiple path traversal vulnerabilities, CVE-2024-57728 (CVSS 7.2) for arbitrary file upload vulnerability, and CVE-2024-57726 (CVSS 9.9) for privilege escalation vulnerability.

What data was exposed in the SimpleHelp supply chain attack?

The exposed data included device names and configurations, user information, network connection details, and sensitive client data (specific types not disclosed). The attackers systematically collected this information during reconnaissance across multiple customer environments managed by the MSP.

Who is the DragonForce ransomware group?

DragonForce is the ransomware group that orchestrated this supply chain attack targeting the MSP's SimpleHelp RMM infrastructure. They used the compromised MSP access to deploy ransomware across multiple endpoints while stealing sensitive data from downstream customers.

What is SimpleHelp RMM software?

SimpleHelp is remote monitoring and management (RMM) software used by Managed Service Providers (MSPs) to remotely monitor, manage, and support their clients' IT infrastructure. The vulnerabilities in this software enabled the supply chain attack affecting multiple downstream customers.

What makes this a supply chain attack?

This is classified as a supply chain attack because the attackers compromised a Managed Service Provider (MSP) that provides IT services to multiple downstream customers. By compromising the MSP's SimpleHelp RMM infrastructure, the attackers were able to use the MSP's trusted access to deploy ransomware and steal data from multiple client organizations.

What was the attack methodology used in the SimpleHelp compromise?

The attackers gained access to the MSP's SimpleHelp RMM tool, injected malicious installer files disguised as legitimate software, deployed these through the MSP's infrastructure to clients, conducted systematic reconnaissance to collect device and user information, exfiltrated sensitive data, and finally deployed DragonForce ransomware to encrypt systems.

Knowledge

DragonForce ransomware exploits SimpleHelp vulnerabilities in MSP supply chain attack

Q: How many organizations were affected by the SimpleHelp attack?

The exact number of affected individuals and organizations is not disclosed. Sophos was unable to identify the specific MSP targeted or provide precise numbers regarding how many customers were ultimately impacted by the ransomware and data theft, though multiple downstream customers were confirmed affected.

Q: Were any organizations able to defend against this attack?

Yes, one of the MSP's clients successfully blocked the attack through Sophos MDR (Managed Detection and Response) and extended detection and response capabilities. However, multiple other downstream customers were impacted by both ransomware encryption and data exfiltration.

published: May 28, 2025

Take action: A compromise of a trusted vendor has terrible and far reaching consequences. There isn't an obvious solution. You need to do a lot of little things and do them consistently - vendor assessment and questionnaires putting formal pressure, isolation and access restrictions adding a layer of prevention and patching and intrusion detection as an internal layer of defense.

Learn More

Sophos reports a supply chain attack orchestrated by the DragonForce ransomware group that has compromised an unidentified Managed Service Provider (MSP) and multiple downstream customers through the exploitation of vulnerabilities in SimpleHelp remote monitoring and management (RMM) software.

The attack involved hackers gaining access to the MSP's SimpleHelp RMM tool and using it to deploy DragonForce ransomware across multiple endpoints while stealing sensitive data. Sophos researchers have medium confidence that the attack exploited a chain of three critical vulnerabilities in SimpleHelp that were disclosed in January 2025:

CVE-2024-57727 (CVSS score 7.5): Multiple path traversal vulnerabilities
CVE-2024-57728 (CVSS score 7.2): Arbitrary file upload vulnerability
CVE-2024-57726 (CVSS score 9.9): Privilege escalation vulnerability

The attack began when threat actors accessed the MSP's SimpleHelp RMM instance and injected a malicious installer file that appeared to be legitimate software. This installer was deployed through the MSP's own infrastructure to its clients.

The attackers used this installer to gain access and conduct reconnaissance across multiple customer environments managed by the MSP, systematically collecting device names and configurations, user information, and network connection details. Once within the networks, the attackers exfiltrated sensitive client data and deployed DragonForce ransomware to encrypt systems.

The exposed data included:

Device names and configurations
User information
Network connection details
Sensitive client data (specific types not disclosed)

The exact number of affected individuals and the financial value of the incident are not disclosed. Sophos was unable to identify the specific MSP targeted or provide precise numbers regarding how many customers were ultimately impacted by the ransomware and data theft.

While one of the MSP's clients successfully blocked the attack through Sophos MDR and extended detection and response capabilities, multiple other downstream customers were impacted by both ransomware encryption and data exfiltration.

DragonForce ransomware exploits SimpleHelp vulnerabilities in MSP supply chain attack

Read More
State of (in)security - Week 52, 2023
State of (in)security - Week 39, 2024
State of (in)security - Week 10, 2026
State of (in)security - Week 40, 2024
State of (in)security - Week 31, 2023