SimpleHelp flaw lets attackers forge admin accounts

Key Takeaways

• CVE-2026-48558 scores 10.0 CVSS and lets attackers bypass authentication entirely when OIDC is enabled
• About 7.2% of the 14,000 internet-exposed SimpleHelp servers use the vulnerable OIDC configuration
• SimpleHelp patched the flaw on June 9, 2026 in versions 5.5.16 and 6.0RC2

A critical authentication bypass in SimpleHelp remote management software lets unauthenticated attackers create fully privileged technician accounts. The flaw, CVE-2026-48558, carries a perfect 10.0 CVSS score and affects any SimpleHelp server running version 5.5.15 or earlier with OpenID Connect authentication enabled.

Horizon3.ai researchers disclosed the vulnerability on June 15, 2026. SimpleHelp shipped patches six days earlier, on June 9, but organizations running vulnerable configurations face immediate risk if they haven't updated.

How the SimpleHelp vulnerability works

The root cause is a failure to verify cryptographic signatures on identity tokens during the OIDC login flow. When a user authenticates through an OIDC identity provider, SimpleHelp receives a JSON Web Token (JWT) asserting the user's identity. The server should validate the token's signature to confirm it came from the trusted provider. It doesn't.

“The vulnerability exists because SimpleHelp fails to verify the cryptographic signatures of identity tokens (JWTs) submitted during the OIDC login process.”

— Horizon3.ai researchers

An attacker can forge a token claiming any identity, submit it to the server, and SimpleHelp accepts it. The attacker then lands in the system as a new technician user with full privileges. No password, no MFA, no valid IdP session required.

Once inside, that rogue technician account can remote into managed endpoints, execute scripts, and modify server configuration. For Managed Service Providers running SimpleHelp, a single compromised server means every client machine under its management is exposed.

Which SimpleHelp servers are vulnerable?

Not every SimpleHelp instance is at risk. Three conditions must all be true for exploitation:

• OIDC authentication (generic or Azure AD OIDC) is enabled
• At least one Technician Group is associated with the OIDC provider
• That group has "Allow group authenticated logins" turned on

Shodan scans show roughly 14,000 SimpleHelp servers exposed to the public internet. Horizon3.ai sampled these and found 7.2% configured to use OIDC. That's roughly 1,000 servers running the vulnerable setup, many of them belonging to enterprises and MSPs that use OIDC for centralized identity management.

How to detect and mitigate the attack

SimpleHelp released patched versions 5.5.16 and 6.0RC2 on June 9, 2026. Upgrading is the primary fix.

If immediate patching isn't possible, restrict technician login sources using IP allowlists. This limits who can reach the login endpoint in the first place.

To check for compromise, audit technician accounts for unfamiliar names or email addresses. Horizon3.ai recommends reviewing logs at these paths:

• /opt/SimpleHelp/logs/server.log
• /opt/SimpleHelp/logs/<YYYYMMDD-HHMMSS>/server.log

Look for unexpected technician registrations, email addresses that don't match your organization, and configuration changes you didn't authorize.

No active exploitation yet, but history suggests urgency

Neither SimpleHelp nor Horizon3.ai has reported active exploitation as of June 15. That window is unlikely to stay open long. SimpleHelp has attracted threat actor interest before, and a CVSS 10.0 authentication bypass with public technical details is exactly the kind of bug ransomware operators hunt for.

Security professionals on Hacker News and other forums are flagging the MSP risk specifically: one compromised SimpleHelp server can give an attacker admin-level access to hundreds or thousands of client endpoints. The blast radius is enormous.

Frequently Asked Questions

What is CVE-2026-48558?

A critical authentication bypass vulnerability in SimpleHelp remote management software. It allows unauthenticated attackers to create privileged technician accounts when OIDC authentication is enabled.

Which SimpleHelp versions are affected?

Versions 5.5.15 and earlier, plus 6.0 pre-release versions before 6.0RC2. Patches are available in 5.5.16 and 6.0RC2.

Is my SimpleHelp server vulnerable?

Only if you use OIDC authentication (generic or Azure AD), have a Technician Group linked to the OIDC provider, and have "Allow group authenticated logins" enabled for that group.

Has CVE-2026-48558 been exploited in the wild?

No active exploitation has been reported as of June 15, 2026. However, given the severity and public disclosure, attacks are expected soon.

What should I do if I can't patch immediately?

Restrict technician login sources using IP-based allowlists to limit who can reach the authentication endpoint.

Source: BleepingComputer