Future Technology

SimpleHelp RMM zero-day (CVSS 10.0) hits MSP supply chain

Cybersecurity · 10 July 2026

A vulnerability in SimpleHelp's remote monitoring and management software has been assigned the maximum possible severity score, CVSS 10.0, and it isn't sitting on a shelf. CVE-2026-48558 is being actively exploited in the wild to deploy a loader tracked as TaskWeaver, according to researchers monitoring the campaign. CISA has added it to the Known Exploited Vulnerabilities catalog, with a patch deadline of 4 July 2026 for US federal agencies. That deadline has already passed. Plenty of managed service providers running SimpleHelp outside government haven't patched yet.

RMM software exists to give an MSP centralised remote control over every device it manages on behalf of clients, which is exactly what makes a flaw like this so dangerous. Compromise one SimpleHelp instance and an attacker doesn't get access to one network, they get a jumping-off point into every client network that MSP touches. It's the same category of risk that made the 2023 MOVEit and Kaseya incidents so damaging: the software's entire purpose is broad, trusted access, and that purpose becomes a liability the moment it's compromised.

Who's actually exposed

If you run an in-house IT team and don't use SimpleHelp, this doesn't touch you directly. If you outsource IT support to a managed service provider, though, you may be exposed without knowing it, because most clients have no visibility into which RMM tool their provider runs. TaskWeaver, the loader being deployed post-exploitation, has been linked in past campaigns to further payload delivery, meaning initial access here is rarely the end goal.

What to do

Businesses that outsource IT: ask your provider directly, in writing, whether they run SimpleHelp and whether the July patch has been applied. This is a reasonable question to ask any vendor with privileged access to your systems, and a provider that can't answer quickly is itself a red flag. Businesses running SimpleHelp directly: patch now, don't wait for a scheduled maintenance window, a CVSS 10.0 score under active exploitation is about as unambiguous a "patch immediately" signal as this industry produces.

Get the week's real security priorities, not the noise, every Friday.