SimpleHelp auth bypass lets attackers create technician accounts

For MSPs, contractors, and C3PAOs running SimpleHelp, this is not a boutique application bug. CIS says successful exploitation could let an unauthenticated attacker create a new Technician account, remote into managed endpoints, execute scripts, install programs, and view, change, or delete data. That is the whole point of remote support software when used legitimately, which is also why authentication bypass in this category is never just authentication bypass.

The operational move is straightforward: inventory exposed SimpleHelp instances, look for newly created Technician accounts, review remote-session and script-execution history, and patch or isolate the service when an updated version is available. The current advisory does not say whether SimpleHelp has released a fix, nor does it cite active exploitation of this specific flaw.

The context is less comforting. CISA warned in 2025 that ransomware actors had exploited unpatched SimpleHelp Remote Monitoring and Management instances to compromise downstream customers of a utility billing software provider, and described a broader pattern of targeting unpatched SimpleHelp since January 2025 (https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a). ConnectWise, AnyDesk, and now SimpleHelp keep making the same point from different logos: the tool that gives one technician access to thousands of endpoints is also the tool an attacker wants first.