Cybersecurity advisory about ransomware affecting billing software (AWWA)

AWWA Security Advisory - Cybersecurity advisory about ransomware affecting billing software

The Cybersecurity & Infrastructure Security Agency (CISA) today issued an advisory titled “Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider.”

According to CISA: 

“This advisory is in response to ransomware actors targeting customers of a utility billing software provider through unpatched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM).

“This incident is part of a broader trend of ransomware actors exploiting unpatched versions of SimpleHelp RMM since January 2025.

“SimpleHelp versions 5.5.7 and earlier contain multiple vulnerabilities, including CVE-2024-57727, a path traversal vulnerability. Ransomware actors likely exploited CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp RMM, resulting in service disruptions and double extortion incidents.

“CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities Catalog on February 13, 2025.Organizations using SimpleHelp RMM should:

• Search for evidence of compromise,
• Apply the mitigations outlined in the advisory such as patching CVE-2024-57727 and/or implementing appropriate workarounds to prevent or respond to confirmed or potential compromises, an
• Follow CISA’s Known Exploited Vulnerabilities Catalog.”

This attack has already impacted water utilities. AWWA encourages all users of the SimpleHelp RMM to act on the mitigation steps outlined above.

Questions can be directed to Kevin Morley, AWWA’s federal relations manager.