Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

SimpleHelp OIDC Authentication Bypass

IdentifiersCVE-2026-48558CWE-347· Improper Verification of…

CVE-2026-48558 is a critical authentication bypass vulnerability in SimpleHelp affecting versions 5.5.15 and earlier and 6.0 pre-release versions. The flaw is in the OpenID Connect (OIDC) authentication flow: when OIDC is configured, SimpleHelp accepts submitted identity tokens during login without verifying their cryptographic signature. Because the application trusts unsigned or improperly validated identity assertions, a remote unauthenticated attacker can forge a token containing arbitrary identity claims and have it accepted as valid. In vulnerable deployments, this allows the attacker to create or obtain a fully authenticated Technician session without possessing legitimate credentials. Reporting also indicates the issue affects common OIDC integrations, including generic OIDC and Azure AD OIDC, and stems from improper validation of identity provider assertions/JWT signature verification.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote unauthenticated attacker to bypass authentication and gain a fully authenticated SimpleHelp Technician session. Because Technician accounts are highly privileged in SimpleHelp, this can enable creation of new technician accounts, remote access to managed endpoints, execution of scripts and administrative actions, file transfer, and use of the SimpleHelp server as a trusted management channel into downstream systems. In some configurations, the flaw also bypasses MFA, including scenarios where an attacker can enroll their own MFA method on first login. In MSP and enterprise deployments, compromise of the SimpleHelp management plane can provide broad access across customer or internal environments and facilitate lateral movement, data access, and follow-on malware deployment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable OIDC authentication or change affected Technician Group authentication to local/password-based authentication until the fix can be applied. Restrict access to the SimpleHelp portal and technician login interfaces using IP allowlists, VPN-only access, firewall rules, or network segmentation, and make the server inaccessible from the internet if feasible. Review identity provider integration settings and monitor for indicators of compromise such as unexpected Technician account creation, suspicious logins from unusual IPs/ASNs, POST requests to /technician, anomalous OAuth callback traffic, and unexpected configuration save events. Where compromise is suspected, disconnect affected servers from the network until investigated.

Remediation

Patch, then assume compromise.

Upgrade to a fixed SimpleHelp release immediately. The provided content indicates fixes were released in SimpleHelp v5.5.16 and v6.0 RC2 (or later). Organizations should apply the vendor security update and move all affected systems off versions 5.5.15 and earlier and vulnerable 6.0 pre-release builds. After patching, review for compromise by auditing Technician accounts, authenticated sessions, configuration changes, and relevant server logs; invalidate unrecognized technician sessions and rotate credentials, API keys, and other secrets if compromise is suspected.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SimpleHelpSimplehelpapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

61 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

61 SOURCESView more in app
bleeping computerNews
Jun 29, 2026
Critical SimpleHelp flaw exploited to deploy new stealer malware

A critical authentication bypass vulnerability in SimpleHelp that can allow unauthenticated creation of highly privileged technician accounts on servers using OIDC, enabling compromise of the RMM platform and downstream managed systems.

Read more
cyber security newsNews
Jun 16, 2026
Nearly 14,000 SimpleHelp Servers Exposed Amid Critical Authentication Bypass Disclosure

A critical authentication bypass vulnerability in SimpleHelp Server deployments using OpenID Connect (OIDC) authentication that allows unauthenticated attackers to create a Technician account, bypass MFA, and gain elevated access to managed endpoints and administrative functions.

Read more
help net securityNews
Jun 16, 2026
SimpleHelp RMM flaw could give attackers full access to managed endpoints (CVE-2026-48558) - Help Net Security

A critical authentication bypass vulnerability in SimpleHelp affecting deployments configured to use OpenID Connect (OIDC) authentication, allowing unauthenticated remote attackers to create a forged Technician account, bypass MFA on first login, and gain remote access to managed endpoints.

Read more
linuxsecurityNews
Jun 16, 2026
SimpleHelp OIDC Important Remote Access Risk CVE-2026-48558

An authentication bypass vulnerability in SimpleHelp OIDC authentication that can allow forged identity tokens to be accepted, enabling unauthorized technician access.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity49

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-48558
NVD
nvd.nist.gov/vuln/detail/CVE-2026-48558
MITRE CWE · CWE-347
Improper Verification of Cryptographic Signature
horizon3.ai
horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs
simple-help.com
simple-help.com/release-news
simple-help.com
simple-help.com/security/simplehelp-security-update-2026-05