A maximum-severity flaw in a widely used remote-support tool is being actively exploited. You have probably never heard of the software, and you almost certainly do not run it yourself. That is exactly why it is worth understanding: the tools your IT provider uses to manage your systems are part of your attack surface, not just theirs.
The specific bug is a useful example of a risk most small businesses never think about, so it is worth a plain-language look.
What happened
The vulnerability, tracked as CVE-2026-48558, sits in SimpleHelp, a remote monitoring and management (RMM) tool that IT providers use to connect to and support client computers. It carries the maximum severity score of 10 out of 10, and the U.S. Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities catalogue on June 29 after confirming real-world attacks.
The flaw is a clean example of a simple mistake with serious consequences: SimpleHelp did not properly verify the digital signature on the login tokens used in one of its sign-in methods. An attacker can forge one of those tokens, present it, and be handed a fully authenticated technician session, no password needed, and multi-factor authentication bypassed. Security researchers have confirmed attackers using the access to plant credential-stealing malware that scoops up cloud logins, SSH and Git keys, and configuration files. The fix is to update SimpleHelp to version 5.5.16 or 6.0 RC2.
Why this is a small-business story
It is tempting to file this under "not my software." But that is the point of a supply-chain risk: you do not have to run the tool to be exposed by it.
- These tools run with deep access to your systems, by design. An RMM tool exists to control your computers remotely, so whoever controls the RMM effectively controls the machines it manages.
- One compromise reaches many businesses at once. Break into one IT provider's remote-support server and you can reach every downstream client through it. Attackers love this leverage, and RMM tools have been a repeated target for exactly that reason.
- Outsourcing the work does not outsource the risk. "We have an IT company" does not put this beyond your concern, because the exposure lands on your systems and your data.
- Multi-factor authentication was not enough here. The flaw bypassed it entirely, a reminder that a vendor's own security hygiene matters as much as your own controls.
What to actually do
You cannot patch software you do not run. What you can do is ask the right questions, and a good provider will already have answers:
- Ask directly: "Do you use SimpleHelp? If so, have you updated to the fixed version and checked for signs of compromise?" A prompt, specific answer is a good sign.
- Ask more broadly: what remote-access tools does your provider run on your systems, how are those tools secured, and how quickly do they apply critical patches?
- Treat your provider as a vendor you assess, the same way you would any supplier that touches your data, which we covered in your biggest cyber risk is a vendor you already trust.