CVE-2026-48558 — SimpleHelp Authentication Bypass Vulnerability

CVE-2026-48558

SimpleHelp RMM — Unauthenticated OIDC Token Forgery Bypassing Authentication and MFA

What is SimpleHelp?

SimpleHelp is a Remote Monitoring and Management (RMM) platform used by managed service providers (MSPs) and IT teams to remotely access, monitor, and manage endpoints. Because a single SimpleHelp server acts as a gateway to potentially thousands of managed endpoints, it is a force-multiplier target: a single compromise grants an attacker lateral movement capability across every machine the MSP administers.

SimpleHelp came to prominence as an attack vector in 2025, when three separate CVEs (CVE-2024-57727, CVE-2024-57728, CVE-2024-57729) were chained by Akira ransomware operators.

Overview

CVE-2026-48558 is a critical (CVSS 10.0) authentication bypass in SimpleHelp's OpenID Connect (OIDC) authentication flow. When OIDC authentication is configured, the server accepts identity tokens during login without verifying their cryptographic signatures. An unauthenticated remote attacker can submit a forged JWT token containing arbitrary identity claims to obtain a fully authenticated Technician session. In some configurations this also bypasses multi-factor authentication.

Horizon3.ai discovered the vulnerability in May 2026; patches were released June 9. By the time of public disclosure on June 12, approximately 14,000 internet-exposed SimpleHelp servers were identified, with roughly 1,000 (~7%) configured with the vulnerable OIDC method. Active exploitation was confirmed by Blackpoint Cyber on June 29, 2026 — the same day CISA added the vulnerability to the KEV catalog.

Affected Versions

Channel Vulnerable Fixed
SimpleHelp 5.x 5.5.15 and earlier 5.5.16
SimpleHelp 6.0 Pre-release builds 6.0 RC2 / final

Three conditions must all be met for a server to be vulnerable via this path:

  1. OIDC authentication is enabled
  2. A TechnicianGroup is associated with the OIDC provider
  3. "Allow group authenticated logins" is enabled

Technical Details

The root cause is CWE-347 — Improper Verification of Cryptographic Signature. During OIDC login, SimpleHelp accepts the identity token's claims but never validates the token's cryptographic signature. An attacker fabricates a JWT with arbitrary identity claims (any email address, group memberships) and submits it directly to the login endpoint. Because the signature check is absent, SimpleHelp treats the forged token as valid and issues a full Technician session.

MFA bypass: When multi-factor authentication is configured, this vulnerability still allows bypass. A newly self-registered Technician account sets up MFA during its first login session — the forged token creates the account before MFA enrollment has occurred, meaning the attacker's initial session proceeds without MFA challenge.

Key attack characteristics:

  • No authentication required: Full unauthenticated exploitation
  • Scope Changed: Compromise of the SimpleHelp Technician session enables access to all endpoints under management
  • No user interaction: The vulnerability triggers entirely through the login endpoint

Discovery

Discovered by researchers at Horizon3.ai. Private disclosure was made to SimpleHelp on May 22, 2026. SimpleHelp released patches on June 9, 2026 — 18 days after disclosure. Horizon3.ai published their full technical disclosure with IOCs on June 12, 2026.

Exploitation Context

Active exploitation was documented by Blackpoint Cyber, who observed attackers using a forged OIDC token to obtain a Technician session on an internet-facing SimpleHelp server. Post-compromise, attackers deployed two previously-unknown malware families:

TaskWeaver — a Node.js-based loader disguised as jquery.js, fetched from a temporary Cloudflare URL and executed via node.exe. It reconstructs Node.js require() at runtime to evade static analysis and uses AES-256-GCM plus RSA-2048 for C2 communications.

Djinn Stealer — a cross-platform information stealer (Windows/macOS/Linux) delivered as an encrypted JavaScript payload (~298 KB). Targets cloud platform credentials (AWS, Azure, GCP, Oracle Cloud, Okta, Cloudflare), developer tools (GitHub, SSH keys, Docker), AI assistant configs (Claude MCP, Gemini, Codex), package registry tokens, cryptocurrency wallets, and browser-stored credentials. Exfiltration uses PAX tar compressed with gzip and encrypted with AES-256-GCM.

No specific threat actor has been publicly attributed. At public disclosure, Horizon3.ai identified approximately 14,000 internet-exposed SimpleHelp servers, with roughly 1,000 in the vulnerable OIDC configuration.

Remediation

  1. Upgrade immediately: Update to SimpleHelp 5.5.16 or 6.0 RC2 / final as appropriate for your version
  2. Assess your OIDC configuration: If OIDC is not enabled — or if "Allow group authenticated logins" is off — your server is not vulnerable via this specific path; upgrade is still recommended
  3. Audit Technician accounts: Review all Technician accounts for unexpected new entries created after June 9, 2026; investigate and remove any unknown accounts immediately
  4. Search for TaskWeaver and Djinn indicators: Look for jquery.js files in unexpected locations, anomalous node.exe execution initiated by SimpleHelp processes, and outbound connections to Cloudflare worker URLs
  5. Review identity provider logs: Check your OIDC provider (Azure AD, Okta, etc.) for login attempts that don't correlate with legitimate user activity in the June 9–29 window
  6. Limit server exposure: If your SimpleHelp server does not need to be internet-facing, place it behind a VPN or restrict access by IP allowlist to reduce the attack surface

Key Details

PropertyValue
CVE ID CVE-2026-48558
Vendor / Product SimpleHelp — SimpleHelp
NVD Published2026-06-12
NVD Last Modified2026-06-30
CVSS 3.1 Score10
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-347 find similar ↗
CISA KEV Added2026-06-29
CISA KEV Deadline2026-07-02
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-07-02. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA's BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA's "Forensics Triage Requirements" (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-05-21Horizon3.ai discovers and validates CVE-2026-48558
2026-05-22Private disclosure to SimpleHelp
2026-06-09SimpleHelp patches released (5.5.16 / 6.0 RC2)
2026-06-12CVE published; Horizon3.ai public disclosure — approximately 14,000 exposed servers counted
2026-06-29Active exploitation confirmed (Blackpoint Cyber); added to CISA Known Exploited Vulnerabilities catalog
2026-07-02CISA BOD 22-01 remediation deadline