Path Traversal, Explained — The Trick Behind This Week’s SimpleHelp Patch

Path traversal is a class of bug that lets an attacker walk out of the folder a piece of software is supposed to keep them in. It’s been around as long as the web has, and it just resurfaced in this week’s SimpleHelp advisory that CISA added to its Known Exploited Vulnerabilities list.

Think of a server like a building with one reception desk. Anything visitors hand over is meant to end up in a designated drop-off room. A path traversal flaw is the equivalent of writing a delivery address like “..\..\..\CEO’s office” and the mail clerk just walking it there without checking. In SimpleHelp’s case, that “office” is anywhere on the server’s file system — which means an attacker can plant a file that executes code, overwrite a configuration, or quietly pull sensitive data out the back door.

Why does this matter for your business? Because path traversal almost always lives inside ordinary software you didn’t write yourself — your remote-support tool, file-sharing platform, content management system, web app, or even a printer’s web interface. You don’t see the bug. You inherit it from a vendor. The only practical defence is keeping that software patched and paying attention when an advisory names something you run. SimpleHelp’s flaw was disclosed months ago; CISA only escalated it once active exploitation was confirmed.

The practical implication for an Australian SMB: when you read a CVE that mentions “arbitrary file upload” or “zip slip,” that’s path traversal. Treat it as urgent. Push your IT provider to confirm the affected software has actually been patched in your environment, not just acknowledged on a status page. Sitting on this kind of bug is how breaches start — and under Australia’s notifiable data breach scheme, the consequences land on you, not the vendor.

If you’d like a hand auditing your patch posture, our managed IT team does this for a living.