The vulnerability in question, tracked as CVE-2024-57727, has a CVSS score of 7.5 and allows attackers to access sensitive information, including credentials and API keys.

This security defect was patched in January 2025, along with two other vulnerabilities, but many systems remain unprotected.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported a concerning trend of ransomware groups exploiting vulnerabilities in SimpleHelp software, particularly targeting unpatched versions since early 2025.

Specifically, ransomware operators are leveraging a vulnerability in SimpleHelp to attack customers of a utility billing software provider, raising alarms about the security of these systems.

Organizations using SimpleHelp versions 5.5.7 or earlier are urged to disconnect vulnerable systems, upgrade to secure versions, and monitor their server traffic to mitigate risks.

CISA has recommended that organizations isolate SimpleHelp servers from the internet, update to the latest version, and conduct thorough threat monitoring to counter the ransomware threat.

CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities (KEV) list in February 2025, following reports of its exploitation.

Among the ransomware groups exploiting these flaws, DragonForce has been identified as breaching targets to access downstream customers' systems for double extortion attacks.

In a related incident, Fog ransomware, which has targeted various sectors including technology and education, has claimed 100 victims since its detection in May 2024.

The Fog ransomware attack utilized advanced techniques, including employee monitoring software, suggesting a potential espionage motive.

CISA has cautioned against paying ransoms, as it does not guarantee file recovery and may encourage further attacks.

End-users are advised to disconnect affected devices, perform clean installations, and restore data from secure backups to ensure their systems are secure.