Your MSP's Remote Support Tool Has a Backdoor. CISA Just Confirmed It.
CISA added two SimpleHelp vulnerabilities to its Known Exploited Vulnerabilities catalogue this week. CVE-2024-57726 and CVE-2024-57728. Confirmed, active, in the wild.
SimpleHelp is remote support software. The kind your managed service provider uses to connect to your machines, install updates, fix problems, and generally do the job you pay them for. Legitimate software. Privileged access. Now a confirmed attack vector.
This is the supply chain threat in its clearest form.
What SimpleHelp Is and Why It Matters to You
Remote support tools exist because your IT provider cannot physically be in your office every time something breaks. Software like SimpleHelp creates a controlled channel: the MSP connects, does the work, disconnects.
The operative word is controlled. When a vulnerability exists in that software, and attackers are actively exploiting it, the control is no longer yours.
CVE-2024-57726 is an authorisation bypass. It allows a low-privileged user to perform administrative actions they should not have access to. CVE-2024-57728 is a path traversal vulnerability that allows file access outside permitted directories.
Combined, these are not theoretical risks. CISAβs Known Exploited Vulnerabilities catalogue does not traffic in hypotheticals. Inclusion requires confirmed evidence of active exploitation. These are being used. Now.
The Supply Chain Problem Your Firewall Cannot Solve
Here is what makes this category of vulnerability particularly unpleasant for small businesses.
You can patch every machine in your office. You can run endpoint protection. You can enforce MFA on every account. None of it prevents an attacker from exploiting a vulnerability in your MSPβs tooling and riding that legitimate access channel straight into your network.
The attacker does not need to compromise you directly. They compromise the tool that already has permission to be inside your systems. From your networkβs perspective, it looks like your IT provider connecting. Because the software believes it is.
This is not a new attack pattern. It is the same logic that made the supply chain risk discussion relevant then and more relevant now. The difference today is that CISA has confirmed it is happening.
What the Totolink CVE Adds to the Picture
Separately, NIST published CVE-2026-7037 today. CVSS score: 9.8. This one affects Totolink A8000RU routers, specifically a remote OS command injection vulnerability in the VPN configuration handler.
Totolink devices are not enterprise hardware. They are inexpensive routers that show up in small offices, home offices, and occasionally as secondary network equipment in SMB environments. A CVSS 9.8 means remote exploitation with no authentication required.
The exploit code is already public.
If you or anyone in your organisation is running a Totolink A8000RU, the question is not whether to act. It is whether you act before someone else does.
Check your network hardware. If you do not know what router you are running, that is also information worth having.
How to Turn This Into a Competitive Advantage
Clients and procurement teams increasingly ask about supply chain security. Most SMBs cannot answer those questions coherently. You can.
Knowing which remote access tools your MSP uses, confirming their patch status, and maintaining a log review process puts you in a position to make a factual statement: we actively monitor our third-party access controls. We verify patch status on tooling that has privileged access to our systems.
That is not a checkbox. That is a demonstrable practice. It differentiates you from competitors who have never thought to ask.
If you hold or are pursuing Cyber Essentials certification, third-party access controls and patch management are both within scope. Tightening your MSP accountability directly strengthens your certification posture.
How to Sell This to Your Board
Three arguments that translate into budget and attention:
The risk is confirmed, not theoretical. CISAβs KEV catalogue is evidence-based. Two vulnerabilities in software your MSP may be running are actively exploited. This is not a vendor trying to sell you something. It is a government agency publishing confirmed threat data.
The attack surface is your supplier, not just your systems. Traditional security investment focuses on your own infrastructure. Supply chain attacks bypass that entirely. The question for the board is: do we have visibility into the security posture of organisations with privileged access to our systems?
The remediation cost is low. Asking your MSP to confirm patch status costs nothing. Establishing a quarterly review of third-party access tooling costs very little. The cost of not doing it, measured against a ransomware incident traced to a compromised support tool, is considerably higher.
What to Do Before the End of This Week
1. Ask your MSP which remote access tools they use to connect to your systems. Get a straight answer. SimpleHelp, TeamViewer, ConnectWise Control, AnyDesk. Know the name. If they cannot or will not tell you, that is a problem independent of this vulnerability.
2. Ask them to confirm patch status in writing. An email will do. You want a dated, written confirmation that their remote access tooling is current. This creates accountability and gives you a record.
3. Pull your remote access audit logs. Most business platforms, Microsoft 365, Google Workspace, and network firewalls keep logs of remote sessions. Review the last 30 days. Look for sessions at unusual hours, from unexpected locations, or by accounts you do not recognise.
4. Check your network hardware for Totolink devices. Log into your router admin panel. Check the make and model. If you are running a Totolink A8000RU, contact your MSP or IT support today and request an immediate replacement or firmware update check. Do not wait.
5. If your MSP cannot answer basic questions about their patch status, treat that as a supplier risk flag. You would not accept a supplier who could not tell you whether their delivery vehicles had valid MOTs. Apply the same standard to software that has administrative access to your systems. If you are unsure how to evaluate your MSPβs responses, the questions to ask your IT provider article covers this in detail.