Your MSP's Remote Support Tool Is Being Used Against You Right Now
CISA added CVE-2026-48558 to its Known Exploited Vulnerabilities catalogue on 29 June 2026. The vulnerability scores CVSS 10.0. It is being actively exploited. And it sits inside the software your managed service provider almost certainly uses to access your systems.
That last part is the bit worth sitting with for a moment.
What SimpleHelp Is, and Why This Matters
SimpleHelp is a remote monitoring and management (RMM) platform. MSPs use it to connect to client endpoints, run scripts, deploy software, and troubleshoot problems without being physically on-site. It is the technical equivalent of a master key.
CVE-2026-48558 is an authentication bypass flaw in the SimpleHelp server. An unauthenticated attacker, meaning someone with no credentials at all, can send a crafted request that creates a Technician account on the RMM server. A Technician account has access to every managed endpoint connected to that server.
The attack surface is not just your business. It is every business your MSP looks after.
What Attackers Are Actually Doing With This Access
Researchers have documented active exploitation campaigns deploying two previously unreported malware families through compromised SimpleHelp instances.
TaskWeaver is a persistent access tool. It establishes a foothold, moves laterally across connected networks, and maintains access across reboots and defensive responses. It is designed for dwell time: staying quiet, staying present.
Djinn Stealer harvests credentials. Its targets are not limited to Windows login details. Researchers have observed it targeting credentials stored in cloud platforms, code repositories, AI development tools, and cryptocurrency wallets. The credential set it collects maps to where a modern small business actually operates.
The combination is coherent. TaskWeaver keeps the door open. Djinn Stealer empties the safe. Then the attacker decides what to do next: ransomware deployment, data exfiltration, further lateral movement to the MSP’s other clients, or quiet persistence for a later date.
The Supply Chain Problem No One Is Naming Directly
The security industry talks about supply chain risk in the abstract. This is what it looks like in practice.
Your MSP is a trusted third party. You have given them privileged access to your systems because that is the arrangement. The security model depends entirely on their infrastructure being secure. CVE-2026-48558 breaks that model without touching your network directly.
An attacker does not need to phish your staff, guess your passwords, or probe your firewall. They compromise your MSP’s SimpleHelp server and inherit the access your MSP already has.
The NCSC has published guidance on managing the risks of third-party IT providers for precisely this reason. The guidance exists because the problem is real and documented. The question is whether anyone is acting on it.
The Adobe ColdFusion Context: Patch Fatigue Is a Strategy
Yesterday also saw two CVSS 10.0 remote code execution vulnerabilities published for Adobe ColdFusion: CVE-2026-48276 and CVE-2026-48277. Both allow arbitrary code execution without user interaction. Scope is changed in both cases, meaning a successful exploit can affect systems beyond the vulnerable component itself.
ColdFusion is not common in the UK SMB market, but it does appear in legacy web infrastructure and some vertical-specific software. If your web presence or line-of-business application runs on ColdFusion, the question is urgent.
More broadly, three CVSS 10.0 disclosures in a single 24-hour window is a data point. Attackers rely on the fact that organisations cannot process and respond to this volume of disclosures at pace. The organisations that have a patching process, however minimal, have a structural advantage over those that do not.
How to Use This as a Competitive Differentiator
CVE-2026-48558 is the kind of vulnerability that exposes the gap between MSPs who treat security as a deliverable and those who treat it as an afterthought.
If you ask your MSP today whether they have patched CVE-2026-48558 and they give you a clear, documented answer, that is a good sign. If they do not know what you are talking about, or if they say they will look into it without committing to a timeline, you have learned something important about the organisation managing your systems.
In procurement conversations, the ability to say that you actively monitor your third-party providers’ patch status is a credible differentiator. It demonstrates that your security posture extends beyond your own perimeter, which is increasingly what enterprise clients and insurance underwriters want to see.
Making the Case to Your Board or Director
Three points that will carry weight in a budget or strategy conversation:
First, the liability question. If your MSP is compromised through a known, patchable vulnerability and your data is exfiltrated as a result, the ICO will look at whether you had appropriate controls over your data processors. “We trusted our MSP” is not a sufficient answer under UK GDPR.
Second, the cost comparison. Asking your MSP for patch confirmation costs nothing. Recovering from a credential theft incident does not. The ratio is not complicated.
Third, the precedent. SimpleHelp has appeared in the KEV catalogue before. This is not an anomaly; it is a pattern. RMM tools are a consistent target because their access model makes them high-value. Knowing that, and acting on it, is basic risk management.
What to Do Before the End of This Week
1. Contact your MSP and ask a direct question. Have you applied the patch for CVE-2026-48558 in SimpleHelp? What version are you now running? Get the answer in writing, even if that just means an email confirmation.
2. If your MSP does not use SimpleHelp, ask what RMM platform they do use. And ask when they last reviewed security advisories for it. The tool does not matter; the process does.
3. Review remote access logs for the past 30 days. Look for account creation events, particularly any new accounts with elevated privileges. If you do not have visibility into this, ask your MSP to provide it.
4. Check your contracts. Your MSP agreement should specify their obligation to maintain patched, secure infrastructure and to notify you of security incidents affecting their systems. If it does not, that gap needs addressing.
5. Review your incident response plan for MSP compromise scenarios. Most SMB incident response plans assume the attacker is external. The SimpleHelp campaign demonstrates that the initial access can come through a trusted third party. Your plan should account for that.
If you want to go further, the NCSC’s guidance on zero trust architecture and third-party access is worth reading. It is not just for enterprise. The principles apply at any scale.
And if you found today’s briefing useful: follow the show wherever you listen, leave a rating or review, drop a comment with your thoughts, and pass it on to someone who looks after a small business. That last part matters more than it sounds.