SimpleHelp CVE-2026-48558: Patch Exploited OIDC Bypass

CISA added SimpleHelp CVE-2026-48558 to its Known Exploited Vulnerabilities catalog on June 29, 2026, giving federal agencies until July 2 to apply vendor mitigations or stop using the affected product. The issue is an authentication bypass in SimpleHelp’s OIDC login flow, and it matters because SimpleHelp is remote support and remote monitoring software: a compromised technician session can become a direct path into managed endpoints.¹

The vulnerable condition is specific but serious. According to NVD and CISA’s description, SimpleHelp versions 5.5.15 and earlier, plus 6.0 pre-release versions, can accept identity tokens during OIDC login without verifying the token’s cryptographic signature. In a vulnerable configuration, a remote unauthenticated attacker can submit a forged token with arbitrary identity claims and obtain a fully authenticated technician session; in some setups, that may also bypass multi-factor authentication.²

SimpleHelp’s own security notice says not every server is exploitable because risk depends on server settings and network context, but it still tells customers to update as soon as possible. The vendor’s fixed releases are SimpleHelp 5.5.16 for 5.5.x customers and SimpleHelp 6.0 RC2 for 6.0 users. SimpleSetup users are instructed to use the vendor’s custom update URL for the 5.5.16_202605 release.³

The severity is not theoretical. NVD lists the weakness as CWE-347: Improper Verification of Cryptographic Signature, and the CNA scoring shown there rates the flaw as CVSS 3.1 10.0 Critical and CVSS 4.0 9.5 Critical.² Horizon3.ai has also published indicators for the SimpleHelp OIDC bypass, and NVD references Blackpoint’s TaskWeaver/Djinn intrusion-chain write-up, so incident response should not stop at installing the new build.⁴

What SimpleHelp admins should check now

Start with exposure. Inventory every SimpleHelp server, confirm whether OIDC authentication is enabled, and check whether the admin or technician portal is reachable from the internet. Publicly reachable RMM and remote support systems deserve priority because they sit close to the same risk pattern seen in fake support and remote-access campaigns, including fake IT support calls against law firms and malware that installs remote access tools through fake documents.

Patch first, then review access. Move 5.5.x servers to 5.5.16 or 6.0 prerelease deployments to 6.0 RC2. After the update, inspect technician accounts, recent technician logins, remote sessions, newly added customers or endpoints, unexpected administrative changes, and authentication events around the period before and after June 29. If OIDC was exposed, also review identity-provider logs for unusual login claims, unexpected user identifiers, or sessions that do not match normal technician activity.

If the server managed customer endpoints, treat the review as a small incident response exercise. Look for suspicious tools, scheduled tasks, remote-control sessions, new services, outbound connections, and credential access on the SimpleHelp host and on recently accessed endpoints. Current reporting around TaskWeaver and Djinn makes credential and token theft a practical concern, similar to other infostealer incidents such as the FortiClient EMS fake-patch campaign that pushed EKZ Infostealer. Rotate credentials for technician accounts and privileged accounts if logs show suspicious access, and notify affected customers if RMM sessions reached their systems.

For organizations that cannot patch immediately, the safer short-term posture is to restrict access to the SimpleHelp server, disable or isolate risky authentication paths where the vendor guidance allows it, and keep the system off the public internet until a fixed version is installed. Because this is already in KEV, delaying until a normal maintenance window is the wrong tradeoff.

References

1. Cybersecurity and Infrastructure Security Agency. Known Exploited Vulnerabilities Catalog: CVE-2026-48558. Added June 29, 2026.
2. National Vulnerability Database. CVE-2026-48558 Detail.
3. SimpleHelp. SimpleHelp Security Update (2026-05).
4. Horizon3.ai. CVE-2026-48558: SimpleHelp Auth Bypass IOCs.