Listen to this Post
The vulnerability exists in SimpleHelp RMM (Remote Monitoring and Management) versions 5.5.7 and earlier. An authenticated attacker with only “Technician” privileges can exploit a missing authorization check in the API key creation endpoint. By sending a crafted HTTP request to `/api/admin/keys` (or a similar admin‑only endpoint), the technician can generate a new API key and assign it permissions that are normally reserved for the server administrator. The server fails to validate that the user actually holds the “Admin” role before creating or assigning such keys. Once the attacker obtains an API key with excessive privileges, they can use it to invoke administrative API methods, modify system configurations, read sensitive data, and potentially pivot to other hosts. The vulnerability is trivial to exploit because the required privileges are low (PR:L), no user interaction is needed (UI:N), and the attack vector is network‑accessible (AV:N). The scope is changed (S:C), meaning the compromised admin account can affect resources beyond the vulnerable component, leading to full compromise of the server. The CVSS v3.1 base score is 9.9 (Critical). A public proof‑of‑concept exploit exists, and the flaw has been observed in the wild, chained with other SimpleHelp CVEs to deploy ransomware.
Platform: SimpleHelp RMM
Version: v5.5.7
Vulnerability : Privilege Escalation
Severity: Critical
date: 2025-01-15
Prediction: Patch 2025-01-31
What Undercode Say:
Enumerate existing technicians
curl -k -X GET "https://target/simplehelp/api/technicians" -H "Authorization: Bearer <low_priv_token>"
Craft API key creation request with admin privileges
curl -k -X POST "https://target/simplehelp/api/admin/keys" \
-H "Authorization: Bearer <low_priv_token>" \
-H "Content-Type: application/json" \
-d '{"name":"pwned","role":"server_admin"}'
Use obtained admin key to list all systems
curl -k -X GET "https://target/simplehelp/api/systems" \
-H "Authorization: Bearer <admin_key>"
Exploit:
Once logged in as a low‑privilege technician, the attacker sends a POST request to the API key creation endpoint without a proper role check. The server returns a new API key that grants full server administrator rights. The attacker then uses this key to access any administrative endpoint, effectively gaining complete control over the SimpleHelp server.
Protection from this CVE
Upgrade to SimpleHelp version 5.5.8 or later, which includes proper authorization checks for API key creation. If upgrading is not immediately possible, restrict API key creation privileges via firewall rules or web application firewall (WAF) policies to block requests to the `/api/admin/keys` endpoint from untrusted sources. Additionally, review and revoke any suspicious API keys, and enforce multi‑factor authentication (MFA) for all technician accounts.
Impact
Successful exploitation allows a low‑privilege technician to escalate to server administrator, leading to full compromise of the remote support server. Attackers can then access all client endpoints, exfiltrate sensitive data, deploy ransomware, and pivot into downstream customer networks. The impact on confidentiality, integrity, and availability is complete (C:H/I:H/A:H).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

