The DragonForce ransomware cartel exploited three vulnerabilities in SimpleHelp RMM software (disclosed January 2025) to breach a managed service provider (MSP) and then pivot to the MSP’s downstream customers. CVE-2024-57727 (CVSS 7.5) is a path traversal flaw; CVE-2024-57726 (CVSS 9.9) allows privilege escalation; CVE-2024-57728 allows arbitrary file upload as admin. Attackers used the MSP’s legitimate SimpleHelp infrastructure to deliver a modified installer to client endpoints, enabling credential harvesting and ransomware deployment. Multiple downstream clients suffered data theft and encryption in a classic MSP supply chain attack. Research published by Sophos. DragonForce offers affiliates an 80/20 revenue split and has become a dominant ransomware cartel after absorbing talent from disrupted groups.