Detect SimpleHelp Missing Authorization Vulnerability (CVE-2024-57726) in Splunk
CVE-2024-57726 is a missing authorization vulnerability (CWE-862) in SimpleHelp remote support software versions 5.5.7 and earlier. This CISA KEV-listed vulnerability allows unauthenticated or low-privileged attackers to bypass authorization controls, potentially enabling unauthorized access to administrative functions, file system traversal, or remote code execution on systems running the SimpleHelp server. Active exploitation has been observed in the wild.
MITRE ATT&CK
SPL Detection Query
index=* sourcetype IN ("iis", "apache", "jetty:access", "simplehelp", "wineventlog", "sysmon")
| eval is_simplehelp_traffic = if(match(uri_path, "(?i)(simplehelp|/api/|/admin|/tech/|/customer/)") OR match(process_name, "(?i)(SimpleHelp|simplehelp-server)"), 1, 0)
| where is_simplehelp_traffic=1
| eval auth_bypass_indicator = case(
match(uri_path, "(?i)(/admin|/operator|/api/admin)") AND (http_status IN ("200", "201", "204")) AND isnull(auth_header), "Unauthenticated admin access",
match(uri_path, "(?i)/api/") AND method="POST" AND http_status="200" AND isnull(user), "Unauthenticated API call",
match(process_name, "(?i)SimpleHelp") AND match(CommandLine, "(?i)(cmd\.exe|powershell|bash|sh )"), "Suspicious child process from SimpleHelp",
true(), "SimpleHelp activity"
)
| where auth_bypass_indicator != "SimpleHelp activity"
| stats count as event_count, values(src_ip) as source_ips, values(uri_path) as accessed_paths, values(auth_bypass_indicator) as indicators by host, _time
| sort -event_countSPL query to detect CVE-2024-57726 exploitation through missing authorization checks in SimpleHelp. Looks for unauthenticated access to admin/API paths, suspicious HTTP responses indicating bypassed auth, and anomalous child processes spawned from SimpleHelp service.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate SimpleHelp technicians accessing admin interface from whitelisted IPs
- Automated health-check scripts polling SimpleHelp status endpoints
- Security scanners performing authorized assessments of SimpleHelp installations
- SimpleHelp's own internal service-to-service API calls during normal operation
Other platforms for CVE-2024-57726
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated SimpleHelp Admin Endpoint Access
Expected signal: Web server access logs will show HTTP GET/POST requests to /admin or /api/ paths from the test IP with no Authorization header or session cookie. If vulnerable, HTTP 200 response codes will be logged. Network monitoring will show connections to the SimpleHelp service port from the test host.
- Test 2SimpleHelp Operator Privilege Escalation via Missing Auth
Expected signal: Windows: PowerShell Script Block Logging (Event ID 4104) will capture the Invoke-WebRequest calls. Network: HTTP requests to /api/admin/* endpoints will appear in SimpleHelp access logs. Sysmon Event ID 3 will log network connections from powershell.exe to the SimpleHelp host.
- Test 3Post-Exploitation Command Execution via SimpleHelp Remote Session
Expected signal: Linux: auditd will log bash process creation with the reconnaissance commands (execve syscalls). Syslog will record the command execution. On the SimpleHelp server, session logs will show a remote session connection from an unrecognized IP with commands executed. Network telemetry will show the SimpleHelp client-server communication pattern.
- Test 4SimpleHelp Configuration Exfiltration via Unauthorized API Access
Expected signal: Web server logs on the SimpleHelp host will record sequential GET requests to multiple API endpoints from the same source IP within a short timeframe — a pattern indicative of automated enumeration. Network monitoring will show the HTTP request/response pairs. If SimpleHelp logs API access, entries without authentication context will appear.
Unlock Pro Content
Get the full detection package for CVE-2024-57726 including response playbook, investigation guide, and atomic red team tests.