High

Untrusted installer resource execution in SimpleHelp

IdentifiersCVE-2025-36727CWE-829· Inclusion of Functionality from…

CVE-2025-36727 is an inclusion of functionality from an untrusted control sphere issue in SimpleHelp before 5.5.12. According to the provided content, the SimpleHelp customer client/installer can be induced to download installation resources, including the offline installer binary, from an attacker-controlled server and execute them without adequate validation of source legitimacy. In the demonstrated proof of concept, the client requested multiple resources from the attacker-controlled host and downloaded and executed a malicious file served as "Remote Support-windows64-offline.exe," resulting in arbitrary code execution. The write-up further notes that exploitation of CVE-2025-36727 by itself would require a man-in-the-middle position and unencrypted client-to-server requests, but it becomes a practical remote code execution path when chained with CVE-2025-36728, which allows attacker control of the installer hostname parameter.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows execution of attacker-supplied code on the target system running the SimpleHelp client/installer. In practice, this can give an attacker arbitrary code execution in the security context of the user launching the installer, enabling malware deployment, credential theft, persistence, or follow-on compromise. When chained with CVE-2025-36728, the issue can be triggered from a single malicious URL click, materially increasing exploitability against IT support staff or end users.

Mitigation

If you can’t patch tonight, do this now.

Until patching is complete, restrict use of SimpleHelp and other RMM tools to authorized inventory only, block unauthorized installations, and require downloads only from trusted sources. Audit RMM session activity and review logs for unexpected behavior. Monitor network traffic for suspicious RMM-related installer downloads, unexpected outbound connections, proxy use, or connections to non-approved SimpleHelp infrastructure. Scan for listening services associated with known RMM tools and investigate unusual activity around remote support tool installation or execution.

Remediation

Patch, then assume compromise.

Upgrade SimpleHelp to version 5.5.12 or later. The provided content states the issue affects SimpleHelp before 5.5.12 and that the vendor acknowledged the report and fixed the vulnerabilities. Organizations should ensure all SimpleHelp server and client deployment workflows use the fixed version and retire older installer packages and update paths that may still reference vulnerable behavior.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

SimpleHelpSimplehelpapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

the hacker newsNews

Oct 27, 2025

⚡ Weekly Recap: WSUS Exploited, LockBit 5.0 Returns, Telegram Backdoor, F5 Breach Widens

A vulnerability listed as trending; no technical details provided in the content.

tenable blogNews

Oct 16, 2025

Tenable Discovers Critical Vulnerabilities in SimpleHelp Tool: CVE-2025-36727 and CVE-2025-36728

A SimpleHelp installer/update trust failure where the client fetches and executes additional components from a server without validating authenticity, enabling attacker-supplied executable replacement and resulting in RCE (especially when combined with CVE-2025-36728).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-36727

NVD

nvd.nist.gov/vuln/detail/CVE-2025-36727

MITRE CWE · CWE-829

Inclusion of Functionality from Untrusted…

Third Party Advisory

tenable.com/security/research/tra-2025-24