Summary The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025. SimpleHelp versions 5.5.7 and earlier contain several vulnerabilities, including CVE-2024-57727—a path traversal vulnerability.1 Ransomware actors likely leveraged CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp RMM for disruption of services in double extortion compromises.1 CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities (KEV) Catalog on Feb. 13, 2025. CISA urges software vendors, downstream customers, and end users to immediately implement the Mitigations listed in this advisory based on confirmed compromise or risk of compromise. Download the PDF version of this report: AA25-163A Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider (PDF, 420.49 KB ) Mitigations CISA recommends organizations implement the mitigations below to respond to emerging ransomware activity exploiting SimpleHelp software. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. These mitigations apply to all critical infrastructure organizations. Vulnerable Third-Party Vendors If SimpleHelp is embedded or bundled in vendor-owned software or if a third-party service provider leverages SimpleHelp on a downstream customer’s network, then identify the SimpleHelp server version at the top of the file/SimpleHelp/configuration/serverconfig.xml. If version 5.5.7 or prior is found or has been used since January 2025, third-party vendors should: Isolate the SimpleHelp server instance from the internet or stop the server process. Upgrade immediately to the latest SimpleHelp version in accordance with SimpleHelp’s security vulnerability advisory.2 Contact your downstream customers to direct them to take actions to secure their endpoints and undertake threat hunting actions on their network. Vulnerable Downstream Customers and End Users Determine if the system is running an unpatched version of SimpleHelp RMM either directly or embedded in third-party software. SimpleHelp Endpoints Determine if an endpoint is running the remote access (RAS) service by checking the following paths depending on the specific environment: Windows: %APPDATA%\JWrapper-Remote Access Linux: /opt/JWrapper-Remote Access MacOs: /Library/Application Support/JWrapper-Remote Access If RAS installation is present and running, open the serviceconfig.xml file in /JWrapper-Remote Access/JWAppsSharedConfig/ to determine if the registered service is vulnerable. The lines starting with https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a