SimpleHelp auth bypass exploited to deploy TaskWeaver and Djinn Stealer
CISA added CVE-2026-48558 to its Known Exploited Vulnerabilities catalog after active exploitation of a critical authentication bypass in the SimpleHelp remote monitoring and management platform. The flaw affects SimpleHelp’s OIDC authentication flow because identity tokens are accepted without cryptographic signature verification, allowing a remote unauthenticated attacker to forge tokens and obtain a fully authenticated technician session; in some deployments, the issue can also bypass MFA. CISA set a 2026-07-02 remediation deadline and directed organizations to apply vendor mitigations and follow BOD 26-04 guidance.
Blackpoint Cyber reported that attackers used the vulnerability on Internet-facing SimpleHelp servers to gain technician-level access and deploy an obfuscated Node.js loader called TaskWeaver, which then delivered Djinn Stealer. The malware harvested cloud credentials, SSH keys, API and service account secrets, source control and package registry tokens, browser data, cryptocurrency wallets, and credentials tied to AI development tools across Windows, macOS, and Linux systems. Researchers said the campaign appeared to rely on opportunistic scanning for exposed vulnerable instances, raising concern that compromise of trusted RMM infrastructure could cascade into broader enterprise, cloud, CI/CD, and software supply chain access.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
SimpleHelp releases patches for CVE-2026-48558
SimpleHelp released fixes for the actively exploited authentication bypass vulnerability CVE-2026-48558 in versions 5.5.16 and 6.0 RC2. The flaw affects deployments using generic OpenID Connect or Azure Active Directory OIDC authentication.
CISA updates KEV entry for Microsoft Defender CVE-2026-33825
In the same 2026-06-29 KEV catalog update, CISA changed the entry for CVE-2026-33825 affecting Microsoft Defender from unknown to known ransomware campaign use. The catalog version advanced to 2026.06.29 and the total listed vulnerabilities increased from 1629 to 1630.
CISA adds CVE-2026-48558 to the KEV catalog
CISA updated its Known Exploited Vulnerabilities catalog to add CVE-2026-48558, identifying the SimpleHelp authentication bypass as actively exploited. The KEV entry set a remediation due date of 2026-07-02 and directed organizations to apply vendor mitigations and follow BOD 26-04 guidance.
Blackpoint Cyber publishes findings on active exploitation chain
Blackpoint Cyber disclosed its investigation into the intrusion chain involving exploitation of CVE-2026-48558, the TaskWeaver loader, and Djinn Stealer. The report detailed the malware's credential theft focus and the broader risk to enterprise, cloud, CI/CD, and software supply chain environments.
TaskWeaver loader and Djinn Stealer deployed after SimpleHelp compromise
Following initial access via CVE-2026-48558, the attacker used the trusted RMM channel to deploy an obfuscated Node.js loader called TaskWeaver, which retrieved or delivered the second-stage Djinn Stealer payload. Djinn Stealer harvested credentials and sensitive data across Windows, macOS, and Linux systems, including cloud, SSH, package registry, and AI-development-related secrets.
Attackers exploit SimpleHelp flaw to access internet-facing RMM servers
A recent intrusion campaign exploited CVE-2026-48558, a SimpleHelp OIDC authentication bypass, to obtain technician-level sessions on exposed SimpleHelp servers without valid credentials. The activity appeared to involve opportunistic scanning for vulnerable internet-facing instances.
Horizon3.ai discloses SimpleHelp CVE-2026-48558
Horizon3.ai disclosed CVE-2026-48558, an authentication bypass vulnerability in SimpleHelp RMM. The flaw was later reported as actively exploited against internet-facing SimpleHelp servers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
(TLP:CLEAR) Vulnerability Notification - SimpleHelp RMM Authentication Bypass Exploited, CVE-2026-48588 - WaterISAC
waterisac.org
Open sourceAttack exploiting SimpleHelp vulnerability deploys novel loader, infostealer | news | SC Media
scworld.com
Open sourceAttackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer
thehackernews.com
Open sourceSimpleHelp Authentication Bypass Vulnerability Exploited in the Wild to Deploy TaskWeaver Loader
cybersecuritynews.com
Open sourceCVE-2026-48558: SimpleHelp OIDC Auth Bypass Used to Deploy Infostealer Payloads
socradar.io
Open sourceSimpleHelp vulnerability exploited to deliver mighty Djinn Stealer (CVE-2026-48558) - Help Net Security
helpnetsecurity.com
Open sourceA Djinn in the Machine: TaskWeaver’s Node.js Intrusion Chain - Blackpoint Cyber
blackpointcyber.com
Open sourceAdd Updated KEV Files for 2026-06-29 · cisagov/kev-data@7fcbb76 · GitHub
github.com
Open source'Djinn' Stealer Targets Cloud, AI Credentials
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


