{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2024-57728/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2024-57728"}],"_cs_exploited":false,"_cs_products":["SimpleHelp"],"_cs_severities":["critical"],"_cs_tags":["cve-2024-57728","path-traversal","zip-slip"],"_cs_type":"advisory","_cs_vendors":["SimpleHelp"],"content_html":"\u003cp\u003eA path traversal vulnerability exists within SimpleHelp, identified as CVE-2024-57728. This flaw enables authenticated administrators to upload arbitrary files to any location on the server\u0026rsquo;s file system. This is achieved through the use of a specially crafted ZIP archive (a technique known as Zip Slip). Successful exploitation allows an attacker to execute arbitrary code within the security context of the SimpleHelp server user. The vulnerability impacts SimpleHelp versions 5.5.7 and earlier. Defenders should apply vendor-provided mitigations or discontinue use of the software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to the SimpleHelp console, either through compromised credentials or exploiting a separate authentication bypass.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a file with a path traversal sequence (e.g., \u0026ldquo;../../ malicious.exe\u0026rdquo;) in its filename.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted ZIP archive to the SimpleHelp server through a file upload functionality available to administrators.\u003c/li\u003e\n\u003cli\u003eThe SimpleHelp server extracts the contents of the ZIP archive without proper validation of the file paths.\u003c/li\u003e\n\u003cli\u003eThe file with the path traversal sequence is extracted to an arbitrary location on the file system outside of the intended upload directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a method to execute the uploaded malicious executable. This could involve overwriting an existing system utility or service executable.\u003c/li\u003e\n\u003cli\u003eThe malicious executable runs with the privileges of the SimpleHelp server user.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the host, potentially leading to complete system compromise, data exfiltration, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-57728 allows an attacker to execute arbitrary code on the SimpleHelp server with the privileges of the SimpleHelp service account. This can result in a full compromise of the SimpleHelp server, potentially leading to data theft, service disruption, or further lateral movement within the network. The vulnerability affects SimpleHelp installations, and the impact is high due to the potential for complete system takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the mitigations provided by SimpleHelp to patch the vulnerability. Refer to the vendor advisory for instructions: \u003ca href=\"https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier\"\u003ehttps://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eMonitor SimpleHelp server file uploads for ZIP archives containing path traversal sequences (e.g., \u0026ldquo;../\u0026rdquo;) in filenames using a file integrity monitoring system (FIM) or endpoint detection and response (EDR) solution. Deploy the \u0026ldquo;Detect SimpleHelp Path Traversal ZIP Upload\u0026rdquo; Sigma rule to identify suspicious ZIP files.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and regularly audit administrative access to the SimpleHelp console to prevent unauthorized users from exploiting the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-06-25T10:00:00Z","date_published":"2024-06-25T10:00:00Z","id":"/briefs/2024-06-simplehelp-path-traversal/","summary":"CVE-2024-57728 is a path traversal vulnerability in SimpleHelp that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file, potentially leading to arbitrary code execution.","title":"SimpleHelp Path Traversal Vulnerability (CVE-2024-57728)","url":"https://feed.craftedsignal.io/briefs/2024-06-simplehelp-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2024-57728","version":"https://jsonfeed.org/version/1.1"}