CISA vulnerabilities in SimpleHelp

The recent alert issued by the US Cybersecurity and Infrastructure Security Agency (CISA) about vulnerabilities in SimpleHelp remote support software highlights the growing risk in the software supply chain, making it a real threat to MSPs and their clients.

These weaknesses were exploited by ransomware groups to compromise managed service providers (MSPs) and their clients, allowing unauthorised remote access and highlighting how unpatched vulnerabilities can facilitate massive, sophisticated attacks in corporate environments.

This event is particularly significant as it shows that attackers no longer need to use techniques such as brute force, phishing or open port scanning. The fact that they can exploit legitimate tools as a means of access represents a particular risk for MSPs as when a trusted tool becomes a gateway, the provider is not only exposed, but can also unwittingly facilitate their own clients being compromised.

The risk of implicit trust

The vulnerability exploited in SimpleHelp enabled remote command execution, giving attackers full control over managed systems. From there, lateral movement, persistence, privilege escalation and credential access were enabled, in many cases without generating immediate alerts. This ability to operate from within, without raising immediate alerts, through the use of legitimate tools means that MSPs need to review their defence strategy and reinforce key elements in their security architecture, including:

Updates and patch management: The SimpleHelp incident underlines the importance of agile and rigorous patch management. For MSPs, keeping systems and applications updated not only reduces the window of exposure to new vulnerabilities, but also means they can react faster to emerging threats. Automating both the application and verification of updates helps prevent the exploitation of known exposures and strengthens the defensive posture, preventing a single point of vulnerability from compromising multiple clients.
Network segmentation and least privilege policies: Assuming the possibility of an intrusion is not a weakness, but part of a realistic approach to security. Well-designed segmentation can limit the reach of an isolated compromise and prevent it from becoming a major incident. Consequently, separating assets by sensitivity level and applying zero trust policies reduces the potential for lateral movement and helps to contain the impact within controlled zones. This, in turn, facilitates a faster and more accurate response, reducing the risk of it spreading to other systems or clients.
Visibility and unified management of distributed environments: Having multiple security solutions without effective integration creates blind spots that compromise responsiveness. As an MSP, it is essential to:
- Unify endpoint, network and cloud visibility in a single console.
- Correlate events in real time.
- Integrate detection and response capabilities (XDR).

A centralised approach reduces the mean time to detect (MTTD) and accelerates attack containment (mean time to repair - MTTR), even when dealing with attacks that use authorised tools as a vector.

The SimpleHelp incident highlights the need to progress towards holistic, multi-layered cybersecurity, capable of responding to complex and evolving threats. For MSPs, this means prioritising strategies that unify detection, response, patch management, segmentation and visibility across the entire managed environment. This approach reduces operational fragmentation and strengthens resilience to attacks that exploit the dispersion of systems and tools, including those hiding behind legitimate solutions. In a context in which the supply chain is already a common target for attackers, integrating processes, automating critical tasks and guaranteeing comprehensive and centralised visibility is no longer optional but an essential requirement to protect internal and client environments.