SimpleHelp RCE Added to KEV as Medusa Ransomware Escalates Healthcare Campaign

CISA added two SimpleHelp remote support vulnerabilities to the Known Exploited Vulnerabilities catalog on April 24, both with confirmed active exploitation. CVE-2024-57726 carries a CVSS 9.9 critical rating: a missing authorization flaw that lets low-privileged technicians create API keys with server admin privileges. CVE-2024-57728 (CVSS 7.2) is a path traversal vulnerability allowing admin users to upload arbitrary files via a crafted zip, achieving remote code execution on the host. The remediation deadline for both is May 8.

The Threat Actor

Microsoft Threat Intelligence tracks the exploiters as Storm-1175, the operator behind Medusa ransomware. Their operational model is fast: they weaponize N-day vulnerabilities during the window between disclosure and patch adoption, and they have moved from initial access to ransomware deployment in as little as one day. SimpleHelp is one of several remote monitoring and management tools Storm-1175 deploys both as an initial access vector and for lateral movement after compromise.

Microsoft confirms Storm-1175 campaigns are heavily impacting healthcare organizations, with additional targeting of education, professional services, and finance sectors across Australia, the UK, and the US. The group has exploited over 16 vulnerabilities since 2023, including Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, CrushFTP, and BeyondTrust. They have also demonstrated zero-day capability, exploiting CVE-2026-23760 in SmarterMail a full week before public disclosure.

Why SimpleHelp Matters

SimpleHelp is remote support software deployed on internet-facing servers. It is exactly the class of perimeter asset Storm-1175 scans for. The combination of privilege escalation (CVE-2024-57726) and arbitrary file write leading to RCE (CVE-2024-57728) gives an attacker full control of the SimpleHelp server, which then becomes a pivot point into the internal network. Storm-1175 follows exploitation with account creation, RMM tool deployment for persistence, credential theft via LSASS dumps and Mimikatz, and ransomware delivery through PDQ Deployer.

The KEV addition comes with CISA's SSVC assessment of active exploitation and total technical impact for both vulnerabilities. Horizon3.ai published technical analysis and proof-of-concept details in January 2025. The exploits are not theoretical.

So What / Action

If your organisation runs SimpleHelp, upgrade to version 5.5.8 or later immediately. The May 8 KEV deadline is not the timeframe: Storm-1175 is exploiting these right now, and their dwell time can be measured in hours. Any SimpleHelp instance exposed to the internet should be treated as potentially compromised. Check for unexplained admin accounts, unexpected RMM tool installations, and signs of lateral movement.

More broadly, this is the same perimeter exploitation pattern that has defined 2026. Internet-facing remote access tools are the primary initial access vector for ransomware operators. If it is exposed and unpatched, it will be found. Audit your external attack surface for any RMM or remote support tool that does not have current patch status and enforce network segmentation between these systems and critical infrastructure.