75% of MSPs Breached: Supply Chain Risk Starts With You
Three quarters of managed service providers suffered at least one cybersecurity breach in the past twelve months. Over half were hit twice or more. Nearly a third reported three or more incidents. Those numbers come from the CyberSmart MSP Survey 2026, published May 13, polling 350 MSP leaders across the UK and Ireland. A parallel WatchGuard MSP Cybersecurity Trends Report confirmed the same 75% figure independently.
The supply chain risk that MSPs sell protection against is, statistically, the MSP itself.
This is not a new observation. What is new is the convergence of three forces making it existential in 2026: ransomware groups have shifted to systematically targeting IT service providers, a critical authentication bypass is being actively exploited against MSP infrastructure across five countries, and CMMC Phase 2 enforcement begins in November with auditors explicitly trained to reject “our MSP handles that” as a compliance response.
Ransomware Groups Are Targeting MSPs by Design
The Acronis H2 2025 Cyberthreats Report documented nearly 150 MSP and telecom organizations directly targeted by ransomware operators, while over 7,600 victims were publicly disclosed globally. Attackers exploited RMM tools including AnyDesk and TeamViewer to impact more than 1,200 third-party and supply chain victims.
Two groups dominate this activity.
Qilin posted over 55 new victims in just the first two weeks of January 2026, ahead of its record-setting 2025 pace. Qilin led all ransomware groups with 23% of publicly disclosed victims in the Acronis dataset (962 total). The group’s supply chain strategy became visible during the Korean Leaks campaign, where compromise of a single upstream IT provider pushed Qilin ransomware to dozens of downstream financial institutions in South Korea within a compressed time window. For Qilin, MSPs are not incidental targets. They are force multipliers.
Akira followed at 18% of disclosed victims (726 total). Akira has now claimed over 1,400 victims since emerging in 2023 and collected at least $245 million in ransom payments. The group moves fast: confirmed intrusion-to-encryption times under four hours. In November 2025, CISA, the FBI, and international partners issued an updated joint advisory on Akira’s expanded targeting across critical infrastructure, including government and defense-adjacent sectors. The FBI ranks Akira among the top five ransomware variants targeting US businesses.
What makes the Qilin-Akira convergence relevant for MSPs is documented in the Acronis data: Akira and Cl0p were the dominant actors in attacks that exploited RMM tools to compromise downstream environments. The attack path runs directly through the managed services delivery model. One compromised MSP credential, one unpatched RMM instance, one stale VPN appliance, and the attacker has the keys to every client environment that MSP manages.
CVE-2026-41940: A Live Example of MSP-Targeted Exploitation
The theoretical risk became concrete on April 28, 2026, when cPanel issued a security update for CVE-2026-41940, a CVSS 9.8 authentication bypass in cPanel & WHM. The vulnerability allows unauthenticated remote attackers to inject crafted data into a pre-authentication session file. When the cPanel service daemon re-parses that file, the injected entries promote the session to a fully authenticated root session, bypassing both the password and the 2FA gates.
The vulnerability had been exploited in the wild since at least February 23, 2026, two months before the patch. Within 24 hours of a public proof-of-concept, multiple threat actors began deploying ransomware, botnet malware, and command-and-control frameworks against targets including government agencies, military domains, and managed service providers across five countries: the Philippines, Laos, Canada, South Africa, and the United States.
The targeting of MSPs through this vulnerability carries compounding risk. A single compromised MSP may manage hosting environments for dozens or hundreds of client organizations. Authentication bypass at the cPanel level grants control over every hosted account on a server: client websites, email accounts, databases, and file systems.
“Sorry” ransomware, a Go-based Linux encryptor, was deployed against compromised servers. The AdaptixC2 post-exploitation framework established persistent command-and-control access. Mirai botnet variants were also observed. The attack surface was not limited to a single threat actor or a single payload.
CMMC Phase 2: “Our MSP Handles That” Becomes an Audit Failure
For MSPs serving the defense industrial base, the compliance dimension of this problem has a hard deadline.
CMMC Phase 2 begins November 10, 2026. Phase 1, which took effect in December 2025, primarily relied on self-assessments. Phase 2 shifts enforcement to third-party assessment: contracting officers will require independently verified Level 2 certification by a Certified Third-Party Assessment Organization (C3PAO) as a default condition for contracts involving Controlled Unclassified Information.
The Department of Defense estimates more than 76,000 organizations need Level 2 C3PAO certification. As of February 2026, fewer than 1,100 had completed it.
What matters for MSPs is how CMMC treats outsourced controls. An organization can outsource security operations to an MSP. It cannot outsource compliance accountability. Assessors are explicitly trained to probe this distinction. Stating “our MSP handles that” is not a valid audit response. For a control to be scored as compliant through inheritance, the contractor must demonstrate that the control is properly implemented, documented, and applicable to its specific CUI environment. The MSP must provide evidence. The contractor must validate it.
This creates two problems for MSPs simultaneously. First, if your own environment is not hardened and documented to CMMC standards, you cannot serve as a valid inheritable control source for any contractor client. Second, if a contractor client tells a C3PAO assessor that “the MSP handles it” and you cannot produce the documentation to back that claim, you have just caused your client to fail their assessment. That client now has a compliance gap, a delayed contract award, and a very specific reason to change providers.
A typical readiness journey from gap analysis through remediation, documentation, and C3PAO engagement runs twelve to fourteen months. Starting today puts an MSP on track for certification in mid-to-late 2027. Waiting longer makes the math worse.
The Dual Opportunity: Self-Defense and Revenue
The MSP market is not short on pressure. Seventy-one percent of MSPs identify new customer acquisition as their top challenge. Deal sizes are declining. AI demand is high (48% of clients cite it as their top need) but only 13% of MSPs generate meaningful AI revenue from it. Cybersecurity remains the strongest revenue growth category, with 71% of MSPs reporting year-over-year growth in security services.
The compliance services market reflects this trajectory. The global Compliance-as-a-Service market was valued at $6.73 billion in 2025 and is projected to reach $15.35 billion by 2033, growing at a 10% CAGR. The vCISO market is on a similar curve, valued at $1.4 billion in 2024 with projections reaching $3.8 billion by 2033 at a 12.2% CAGR.
CIS benchmark assessments sit at the intersection of both sides of this problem. Running a CIS assessment against your own infrastructure is the fastest way to identify and close the hardening gaps that make MSPs attractive targets. Offering CIS assessments as a service to clients creates a recurring compliance revenue stream that scales with your existing client base and differentiates in a market where 71% of MSPs struggle to acquire new customers.
The same assessment methodology applies whether the framework is CIS Controls, NIST 800-171 (which underpins CMMC Level 2), or the CIS Benchmarks for specific platforms like Microsoft 365, Azure, or AWS. An MSP that can demonstrate its own environment meets CIS benchmarks has a documented, evidence-backed answer to the CMMC assessor’s question. An MSP that offers that same rigor to clients creates a compliance relationship that is harder to displace than break-fix or basic monitoring.
What This Means in Practice
The 75% breach statistic is a market signal. It tells MSPs that their own infrastructure is being targeted at scale, by organized ransomware operators, through vulnerabilities specific to managed services tooling and hosting platforms.
The CMMC Phase 2 timeline adds regulatory consequence. For MSPs in the defense supply chain, the window to get your own house in order before auditors start asking questions is measured in months, not years.
The market data adds economic context. Compliance services are growing at double-digit rates. MSPs that build assessment capability now position themselves on the right side of both curves: reducing their own attack surface while capturing revenue from a service category that is expanding regardless of what happens to deal sizes or AI monetization.
The starting point is the same in every case: assess your own environment against a recognized framework, document the results, close the gaps, and build the muscle to do the same for clients.
Sources:
- CyberSmart MSP Survey 2026 (IT Security Guru)
- WatchGuard MSP Cybersecurity Trends Report 2026
- Acronis H2 2025 Cyberthreats Report
- Qilin Ransomware Surges into 2026 (Barracuda)
- Dark Web Profile: Qilin (SOCRadar)
- Akira Ransomware Playbook (CybelAngel)
- CISA/FBI Joint Advisory on Akira Ransomware
- CVE-2026-41940: cPanel Authentication Bypass (Rapid7)
- cPanel Zero-Day Exploited for Months (Help Net Security)
- cPanel CVE-2026-41940 Exploited Within 24 Hours (Daily Security Review)
- MSPs Targeted in cPanel Vulnerability Exploits (MSSP Alert)
- CMMC Phase 2 Preparation (Secureframe)
- CMMC Phase 2 Requirements 2026 (GreyPike)
- CMMC Certification for DoD Contractors (Elevate Consult)
- CMMC Inheritable Controls: Why “My MSP Handles It” Isn’t Good Enough (MAD Security)
- State of the MSP Report 2026 (MSP Success)
- CaaS Market Size (Grand View Research)
- vCISO Market Report 2025 (Blue Radius)