Critical SimpleHelp OIDC Flaw Lets Attackers Forge Technician Logins
Researchers disclosed CVE-2026-48558, a maximum-severity authentication bypass in SimpleHelp remote management software that allows unauthenticated attackers to forge OpenID Connect identity tokens and log in as a technician. The flaw affects SimpleHelp 5.5.15 and earlier, along with 6.0 pre-release versions, because the OIDC login flow accepts submitted JWT identity tokens without verifying their cryptographic signature. The issue is rated CVSS 10.0 and mapped to CWE-347, with no user interaction required for exploitation.
Successful exploitation can give attackers an authenticated technician session with administrative reach into managed environments, including remote access to endpoints, script execution, and in some cases MFA bypass because technician accounts can enroll their own MFA method at first login. Horizon3.ai said the bug affects deployments using generic OIDC and Azure Active Directory OIDC, and estimated that internet-exposed SimpleHelp servers have grown to nearly 14,000, with about 7.2% using the vulnerable configuration. Defenders were urged to apply vendor patches immediately, restrict technician authentication by IP where patching is delayed, and review technician accounts and server logs for signs of compromise.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
CISA orders federal agencies to remediate CVE-2026-48558 by July 2
After adding CVE-2026-48558 to the Known Exploited Vulnerabilities catalog, CISA directed U.S. federal civilian agencies to remediate the SimpleHelp flaw by 2026-07-02. The order followed evidence of active exploitation in the wild.
CISA adds CVE-2026-48558 to Known Exploited Vulnerabilities catalog
CISA added CVE-2026-48558, the SimpleHelp OIDC authentication bypass flaw, to its Known Exploited Vulnerabilities catalog, reflecting active exploitation concern. The listing elevated urgency for organizations using SimpleHelp, particularly MSPs, to remediate and review exposure.
Attackers exploit CVE-2026-48558 to deploy TaskWeaver and Djinn Stealer
By 2026-06-29, attackers were reported actively exploiting CVE-2026-48558 on internet-facing SimpleHelp servers to create privileged access and use the platform as a trusted channel into managed systems. Blackpoint linked the intrusions to delivery of the newly identified TaskWeaver malware and Djinn Stealer, which targets credentials, cloud secrets, developer tooling, and cryptocurrency wallets across Windows, macOS, and Linux.
CVE-2026-48558 disclosed in SimpleHelp OIDC authentication flow
Researchers disclosed CVE-2026-48558, a maximum-severity authentication bypass in SimpleHelp affecting versions 5.5.15 and earlier and 6.0 pre-release versions. The flaw allows unauthenticated attackers to forge OIDC identity tokens without signature verification and obtain an authenticated technician session, with possible MFA bypass in some cases.
SimpleHelp patches CVE-2026-48558 in versions 5.5.16 and 6.0RC2
SimpleHelp released fixes for CVE-2026-48558 on 2026-06-09 in versions 5.5.16 and 6.0RC2. The patch addressed an OIDC authentication flaw that could let unauthenticated attackers create privileged Technician accounts and potentially bypass MFA.
SimpleHelp publishes security update for affected 5.5.x and 6.0 versions
According to the Canadian Centre for Cyber Security advisory, SimpleHelp published a security update on 2026-05-26 for vulnerabilities affecting versions 5.5.0 through before 5.5.16 and 6.0 through before 6.0 RC2. The notice directs users and administrators to review the vendor advisories and apply the update.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
15 references tracked. Mallory keeps watching after this page renders.
U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceSimpleHelp security advisory (AV26-642) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-48558: SimpleHelp OIDC Flaw Added to KEV - TheCyberThrone
thecyberthrone.in
Open sourceCritical SimpleHelp flaw exploited to deploy new stealer malware
bleepingcomputer.com
Open sourceSimpleHelp Authentication Bypass Hits OIDC Setup
securityonline.info
Open sourceCVE-2026-48558: SimpleHelp Auth Bypass IOCs | Horizon3.ai
horizon3.ai
Open sourceCVE Record: CVE-2026-48558
cve.org
Open sourceCVE-2026-48558 - SimpleHelp Authentication Bypass via Missing OIDC JWT Signature Verification
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


