Federal cybersecurity officials report ransomware gangs are targeting a flaw in SimpleHelp remote software amid a wave of recent attacks. 

CISA has issued a warning that hackers exploited CVE-2024-57727 in SimpleHelp tools to breach a utility billing software provider’s customer base. 

Officials at CISA refused to elaborate on when the advisory was issued or which attacks were involved. 

IT professionals often use SimpleHelp, a remote access solution that allows them to control and manage computers regardless of location. 

“This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp…since January 2025,” CISA said. 

Federal officials believe CVE-2024-57727 was used by ransomware gangs to target unpatched SimpleHelp tools, impacting customers in dual-layer extortion attacks. 

First cataloged by CISA in February, CVE-2024-57727 remains a top concern, with the agency urging rapid patching by vendors, customers, and end users. 

Law enforcement reports that Play ransomware affiliates continue using a known SimpleHelp vulnerability to breach U.S. networks. The ongoing misuse of remote access tools like SimpleHelp is raising red flags among defenders.