Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
identity-authentication-vulnerabilityinternet-facing-service-vulnerabilitywidely-deployed-product-advisoryinternet-exposed-service

Critical SimpleHelp OIDC Flaw Lets Attackers Forge Technician Logins

Updated 22h agoFirst seen Jun 12, 202615 sources

Researchers disclosed CVE-2026-48558, a maximum-severity authentication bypass in SimpleHelp remote management software that allows unauthenticated attackers to forge OpenID Connect identity tokens and log in as a technician. The flaw affects SimpleHelp 5.5.15 and earlier, along with 6.0 pre-release versions, because the OIDC login flow accepts submitted JWT identity tokens without verifying their cryptographic signature. The issue is rated CVSS 10.0 and mapped to CWE-347, with no user interaction required for exploitation.

Successful exploitation can give attackers an authenticated technician session with administrative reach into managed environments, including remote access to endpoints, script execution, and in some cases MFA bypass because technician accounts can enroll their own MFA method at first login. Horizon3.ai said the bug affects deployments using generic OIDC and Azure Active Directory OIDC, and estimated that internet-exposed SimpleHelp servers have grown to nearly 14,000, with about 7.2% using the vulnerable configuration. Defenders were urged to apply vendor patches immediately, restrict technician authentication by IP where patching is delayed, and review technician accounts and server logs for signs of compromise.

Share:
Critical SimpleHelp OIDC Flaw Lets Attackers Forge Technician Logins
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

6 events from the most recent confirmed update back to the earliest known activity.

6 EVENTS
Jun 30, 20262d ago

CISA orders federal agencies to remediate CVE-2026-48558 by July 2

After adding CVE-2026-48558 to the Known Exploited Vulnerabilities catalog, CISA directed U.S. federal civilian agencies to remediate the SimpleHelp flaw by 2026-07-02. The order followed evidence of active exploitation in the wild.

U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog

CISA adds CVE-2026-48558 to Known Exploited Vulnerabilities catalog

CISA added CVE-2026-48558, the SimpleHelp OIDC authentication bypass flaw, to its Known Exploited Vulnerabilities catalog, reflecting active exploitation concern. The listing elevated urgency for organizations using SimpleHelp, particularly MSPs, to remediate and review exposure.

CVE-2026-48558: SimpleHelp OIDC Flaw Added to KEV - TheCyberThrone
Jun 29, 20263d ago

Attackers exploit CVE-2026-48558 to deploy TaskWeaver and Djinn Stealer

By 2026-06-29, attackers were reported actively exploiting CVE-2026-48558 on internet-facing SimpleHelp servers to create privileged access and use the platform as a trusted channel into managed systems. Blackpoint linked the intrusions to delivery of the newly identified TaskWeaver malware and Djinn Stealer, which targets credentials, cloud secrets, developer tooling, and cryptocurrency wallets across Windows, macOS, and Linux.

Critical SimpleHelp flaw exploited to deploy new stealer malware
Jun 12, 202620d ago

CVE-2026-48558 disclosed in SimpleHelp OIDC authentication flow

Researchers disclosed CVE-2026-48558, a maximum-severity authentication bypass in SimpleHelp affecting versions 5.5.15 and earlier and 6.0 pre-release versions. The flaw allows unauthenticated attackers to forge OIDC identity tokens without signature verification and obtain an authenticated technician session, with possible MFA bypass in some cases.

CVE-2026-48558 - SimpleHelp Authentication Bypass via Missing OIDC JWT Signature Verification
Jun 9, 202623d ago

SimpleHelp patches CVE-2026-48558 in versions 5.5.16 and 6.0RC2

SimpleHelp released fixes for CVE-2026-48558 on 2026-06-09 in versions 5.5.16 and 6.0RC2. The patch addressed an OIDC authentication flaw that could let unauthenticated attackers create privileged Technician accounts and potentially bypass MFA.

SimpleHelp bug lets hackers create rogue remote support accounts
May 26, 20261mo ago

SimpleHelp publishes security update for affected 5.5.x and 6.0 versions

According to the Canadian Centre for Cyber Security advisory, SimpleHelp published a security update on 2026-05-26 for vulnerabilities affecting versions 5.5.0 through before 5.5.16 and 6.0 through before 6.0 RC2. The notice directs users and administrators to review the vendor advisories and apply the update.

SimpleHelp security advisory (AV26-642) - Canadian Centre for Cyber Security
LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

36 LINKEDOpen in app
Affected products
16 linked
SimplehelpAzure Active DirectoryDogecoinLitecoinEthereumCloudflareBitcoinZcashDashVaultDockerGithub CliHelmOracle Peoplesoft PeopletoolsClaudeCodex
Organizations
14 linked
SimpleHelpVerizon CommunicationsBlackpoint CyberHorizon3.aiLinkedinCloudflareXBeazley SecurityOracleVulnCheckSecurityOnline.infoGoogleSecurity AffairsLinuxSecurity
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.