Skip to main content
close search
site logo
Dive Brief

CISA warns of supply chain risks as ransomware attacks exploit SimpleHelp flaws

The latest confirmed cyber intrusion hit a utility billing software provider and its customers.

Published June 13, 2025
Eric Geller's headshot
Senior Reporter
Remote software
Courtesy of Remote
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • Ransomware gangs have exploited a vulnerability in the SimpleHelp remote support program to breach customers of a utility billing software vendor, the Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday.
  • The government advisory follows an earlier warning from CISA and the FBI that hackers associated with the Play ransomware gang had been targeting critical infrastructure organizations using the flaw in SimpleHelp’s remote management software.
  • The new CISA alert highlights the risks of vendors not verifying the security of their software before providing it to customers.

Dive Insight:

The complexities of software supply chains have been a boon for hackers. Companies that supply programs to other firms sometimes unwittingly pass on vulnerabilities to those firms, opening the door for malicious actors.

In this case, the vulnerable software, SimpleHelp, provides remote support and management functions for businesses. SimpleHelp versions 5.5.7 and earlier contain multiple vulnerabilities, including one — CVE-2024-57727 — that CISA said hackers likely used “to access downstream customers’ unpatched SimpleHelp [software]  for disruption of services in double extortion compromises.”

SimpleHelp disclosed this flaw and two others in mid-January, and within weeks, hackers were chaining them together in attacks on unpatched systems. In late May, Sophos researchers said hackers had breached a managed service provider and its customers using these vulnerabilities. 

In its Thursday alert, CISA said the breach of the utility payment vendor reflected a “broader pattern” of such attacks.

The agency urged “software vendors, downstream customers, and end users to immediately implement the Mitigations listed in this advisory based on confirmed compromise or risk of compromise.” 

Vendors should isolate vulnerable SimpleHelp instances, update the software and warn customers, according to CISA, while customers should determine whether they are running the SimpleHelp endpoint service, isolate and update those systems and follow SimpleHelp’s additional guidance.

CISA encouraged victims to share certain incident information with the FBI, including which foreign IP addresses connected to their systems, what the ransom note said, what the attackers told them and other details.

Editors' picks

Company Announcements

View all | Post a press release
360 Privacy and The Hetherington Group Announce Strategic Partnership
From 360 Privacy
June 09, 2025
360 Privacy logo
Anomali Introduces New ThreatStream Offerings for the Age of AI
From Anomali
June 11, 2025
Anomali logo
Embrace Enhances User-Focused Observability Platform with New Web RUM Product
From Embrace
June 11, 2025
Embrace logo
Mckinsey Nextrend: 5 Tools That Help You Sleep Better at Night (If You’re a CISO)
From Mckinsey Nextrend
June 04, 2025
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.