Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: rmm (4 articles)Clear

WhatsApp malware spreads fake invoices that install remote-access admin tools

Kaspersky is tracking an active campaign that spreads through WhatsApp by hijacking real accounts and sending their contacts a script file disguised as a business or financial document, with no accompanying message. If a Windows user opens it, the script disables User Account Control protections and silently installs ManageEngine Endpoint Central, a legitimate IT remote-management tool, configured to connect to attacker servers and hand them remote control of the machine. Using trusted contacts and signed, legitimate software helps the attack slip past suspicion and many security tools. The campaign spans several countries, with most confirmed victims in Malaysia, and how the WhatsApp accounts are compromised is still unknown.

Check
Warn staff to treat unexpected document or invoice files sent over WhatsApp as suspect, even from known contacts, and watch for remote-management tools installed outside approved IT processes.
Affected
Windows users who receive and open script files sent through compromised WhatsApp contacts; the campaign is global, with most confirmed victims in Malaysia, and abuses legitimate remote-management software for access.
Fix
Verify unexpected files through a separate channel before opening, block script attachments, allowlist approved remote-management software and alert on unauthorized installs, and keep User Account Control enabled with endpoint protection active.

SimpleHelp flaw lets unauthenticated attackers create rogue admin technicians

A critical flaw in SimpleHelp, a remote support and management tool used by IT teams and managed service providers, lets an unauthenticated attacker create a privileged technician account and skip multi-factor authentication. The bug (CVE-2026-48558) only affects servers configured to use OpenID Connect (OIDC) single sign-on, including Azure AD, and stems from how the server validates identity assertions from the login provider. A rogue technician can then remote into managed machines and run scripts, giving attackers a foothold across every connected endpoint. Researchers found roughly 14,000 SimpleHelp servers exposed online, with about 7 percent using the vulnerable OIDC setup. The flaw affects versions 5.5.15 and earlier.

Check
Determine whether your SimpleHelp servers use OIDC single sign-on (generic or Azure AD) and are running 5.5.15 or earlier, then review the technician account list for unfamiliar or recently created accounts.
Affected
SimpleHelp servers version 5.5.15 and earlier and 6.0 pre-release builds configured for OpenID Connect authentication (CVE-2026-48558), especially those exposed to the internet with group-authenticated logins allowed.
Fix
Update SimpleHelp to the latest patched release immediately. Until then, restrict server access to trusted networks and remove any unrecognized technician accounts found during review.

Silent Ransom Group hits law firms with fake IT support calls

Mandiant has detailed how the extortion crew Silent Ransom Group (also tracked as Luna Moth and UNC3753) is breaking into US law firms and other professional-services companies through phone calls rather than malware. Attackers send a harmless-looking invoice or data-migration email, then call the target pretending to be internal IT support, talk them into starting a screen-share, and get them to install a remote management tool that hands over access. From there, Mandiant has seen data located, staged, and stolen in under an hour. The group skips encryption entirely, instead threatening to leak stolen files unless paid. A recent FBI alert added in-person office visits to the playbook.

Check
Review RMM and remote-access tool installs from the past month tied to inbound IT support calls, and flag invoice or data-migration emails sent from consumer addresses.
Affected
US law firms and financial and professional-services organizations whose staff can be phoned and talked into screen-sharing or installing remote management software.
Fix
Require staff to verify any IT support contact through a known internal channel before granting access, restrict who can install RMM tools, and enforce phishing-resistant MFA.

CISA adds four more flaws to KEV - SimpleHelp authorization bypass (CVSS 9.9), Samsung MagicINFO, and the D-Link DIR-823X bug already powering fresh Mirai botnets

CISA added four flaws to KEV on April 24 with a May 8 federal deadline. The headline is CVE-2024-57726 (CVSS 9.9), a missing authorization in SimpleHelp RMM that lets a low-privileged technician mint API keys above their role and escalate to server admin; companion CVE-2024-57728 (CVSS 7.2) chains a path traversal for RCE. SimpleHelp featured in DragonForce and Akira ransomware campaigns last year. CVE-2024-7399 (CVSS 8.8) is a Samsung MagicINFO 9 path traversal with a public PoC since 2024. The fourth, CVE-2025-29635, is the D-Link DIR-823X bug we covered last week.

Check
Inventory exposed instances of SimpleHelp, Samsung MagicINFO 9 Server, and any remaining D-Link DIR-823X routers. SimpleHelp is the priority - it sits inside the IT trust boundary.
Affected
SimpleHelp before 5.5.8 against CVE-2024-57726 and CVE-2024-57728 (chained to RCE as the SimpleHelp server user). Samsung MagicINFO 9 Server unpatched against CVE-2024-7399. D-Link DIR-823X firmware 240126 and 24082 against CVE-2025-29635 - the product line is discontinued and no vendor patch exists.
Fix
Upgrade SimpleHelp to 5.5.8+ and rotate every API key issued by every technician account, since unprivileged techs could have minted privileged keys during the vulnerable window. Audit SimpleHelp session logs for anomalies. Patch Samsung MagicINFO and remove its internet exposure. For D-Link DIR-823X, replace the hardware - there is no fix. Treat May 8 as your own deadline.