Detect SimpleHelp Path Traversal Vulnerability (CVE-2024-57728) in Splunk
Detects exploitation of CVE-2024-57728, a path traversal vulnerability (CWE-22) in SimpleHelp remote support software versions 5.5.7 and earlier. Attackers can traverse directory boundaries to read arbitrary files from the server, potentially exposing credentials, configuration files, and sensitive system data. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
SPL Detection Query
index=* sourcetype IN ("access_combined", "iis", "nginx:plus:kv", "apache:access", "simplehelp") earliest=-7d
| eval decoded_uri=urldecode(uri)
| eval decoded_uri=urldecode(decoded_uri)
| where match(decoded_uri, "(\.\./|%2e%2e%2f|%252e%252e|\.\.%2f|\.\./\.\.)")
OR match(uri, "(%2e%2e|%252e%252e|\.\.%2f|%2f%2e%2e)")
| eval traversal_depth=mvcount(split(decoded_uri, "../")) - 1
| eval severity=case(
traversal_depth >= 4, "critical",
traversal_depth >= 2, "high",
traversal_depth >= 1, "medium",
true(), "low"
)
| eval target_file=mvindex(split(decoded_uri, "/"), -1)
| eval suspicious_target=if(match(target_file, "(passwd|shadow|web\.xml|config|credentials|id_rsa|\.env|application\.properties)"), "YES", "NO")
| stats count as request_count, values(decoded_uri) as traversal_uris, values(clientip) as source_ips, max(severity) as max_severity, values(suspicious_target) as suspicious_targets by host, status
| where request_count > 0
| sort - request_countSPL query to detect HTTP path traversal exploitation attempts against SimpleHelp servers. Double-decodes URL-encoded traversal sequences and evaluates traversal depth and sensitive file targeting to prioritize alerts.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized penetration testing or vulnerability assessment activities
- Web application firewalls forwarding raw traversal strings in logs without blocking
- Development and staging environments where path traversal testing occurs
- Misconfigured reverse proxies that re-encode or pass through path characters
Other platforms for CVE-2024-57728
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SimpleHelp Path Traversal - Read /etc/passwd via URL-encoded traversal
Expected signal: Web server access log entry with URI containing %2e%2e%2f sequences; network flow showing outbound connection to SimpleHelp port 5850; if successful (HTTP 200), response body will contain /etc/passwd content
- Test 2SimpleHelp Path Traversal - Double URL-encoded traversal for WAF bypass
Expected signal: Web server access log with %252e%252e in URI; detection systems that only decode once will see %2e%2e after first decode pass, requiring double-decode logic to identify traversal
- Test 3SimpleHelp Path Traversal - Target web application configuration file
Expected signal: Windows: PowerShell ScriptBlock logging Event ID 4104 showing Invoke-WebRequest with path traversal URI; network connection to SimpleHelp port 5850; web server access log entry with ../WEB-INF/web.xml in request path
- Test 4SimpleHelp Path Traversal - Automated scan simulation with multiple traversal depths
Expected signal: Multiple web server access log entries with increasing ../ sequences in rapid succession from the same source IP; pattern consistent with automated exploitation tool behavior
Unlock Pro Content
Get the full detection package for CVE-2024-57728 including response playbook, investigation guide, and atomic red team tests.