The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advisory on June 12, 2025, highlighting the rising threat from ransomware groups exploiting unpatched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software. The advisory indicates that these groups are targeting customers of an unnamed utility billing software provider through compromised SimpleHelp instances.
Since January 2025, CISA has observed a pattern of attacks directed at organizations utilizing outdated versions of SimpleHelp. According to the agency, flaws disclosed earlier this year – CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 – can lead to dangerous outcomes such as information disclosure and remote code execution. CISA noted that these vulnerabilities are currently being exploited by various ransomware groups, including DragonForce.
Reports have surfaced of an instance where a Managed Service Provider’s SimpleHelp deployment was breached by cybercriminals leveraging these vulnerabilities, subsequently allowing the attackers to penetrate further and access downstream customers. To combat this growing threat, CISA has outlined several mitigation strategies. Recommendations include isolating SimpleHelp server instances from the internet, notifying customers, and performing threat hunting to identify indicators of compromise.
CISA emphasized that victims should refrain from paying ransoms as it does not guarantee data recovery and may further incentivize the attackers. The agency continued by advising organizations to take preventative measures, such as maintaining clean backups, updating vulnerable versions, and ensuring remote services aren’t exposed on the web.