Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

SimpleHelp OIDC Authentication Bypass

IdentifiersCVE-2026-48558CWE-347· Improper Verification of…

CVE-2026-48558 is a critical authentication bypass vulnerability in SimpleHelp affecting versions 5.5.15 and earlier and 6.0 pre-release versions. The flaw exists in the OpenID Connect (OIDC) authentication flow: when OIDC is configured, SimpleHelp accepts identity tokens submitted during login without verifying their cryptographic signature. Because the application trusts unsigned or forged identity assertions, a remote unauthenticated attacker can submit a crafted token containing arbitrary identity claims and be logged in as a fully authenticated Technician user. The issue is rooted in improper validation of identity provider assertions/JWT signatures during OIDC processing, and in common deployments can result in creation or use of highly privileged Technician access. In some configurations, the flaw also undermines MFA protections because the downstream application accepts the forged token regardless of the identity provider’s authentication guarantees.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote unauthenticated attacker to obtain a fully authenticated Technician session on a vulnerable SimpleHelp server. Technician access can provide privileged administrative capability within the RMM/remote support platform, including remote access to managed endpoints, script execution, file transfer, and other management actions. In MSP or enterprise deployments, this can expose downstream client environments and provide a trusted pivot point for lateral movement, malware deployment, credential theft, and broader compromise. In affected configurations, MFA can also be bypassed, further reducing barriers to unauthorized access.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable OIDC authentication or switch affected Technician groups to local/password authentication until the fix can be applied. Restrict access to the SimpleHelp portal and technician login paths using IP allowlists, VPN-only access, firewall rules, or network segmentation, and make the server inaccessible from the public internet where feasible. Review Technician login IP restrictions, monitor for unexpected Technician account creation, suspicious logins, POST requests to /technician, anomalous OAuth/OIDC callback activity, and unexpected configuration changes. If compromise is suspected, disconnect affected servers from the network or internet until remediation is completed.

Remediation

Patch, then assume compromise.

Upgrade to a fixed SimpleHelp release immediately. The provided content indicates fixes are available in SimpleHelp 5.5.16 and 6.0 RC2 or later. Organizations should update all affected servers running 5.5.15 and earlier or vulnerable 6.0 pre-release builds, then review for compromise by auditing Technician accounts, sessions, authentication activity, and relevant server logs. If suspicious activity is found, invalidate unrecognized Technician sessions/accounts and rotate credentials, API keys, and other secrets that may have been exposed through the platform or managed endpoints.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SimpleHelpSimplehelpapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

58 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

58 SOURCESView more in app
bleeping computerNews
Jun 29, 2026
Critical SimpleHelp flaw exploited to deploy new stealer malware

A critical authentication bypass vulnerability in SimpleHelp that can allow unauthenticated creation of highly privileged technician accounts on servers using OIDC, enabling compromise of the RMM platform and downstream managed systems.

Read more
cyber security newsNews
Jun 16, 2026
Nearly 14,000 SimpleHelp Servers Exposed Amid Critical Authentication Bypass Disclosure

A critical authentication bypass vulnerability in SimpleHelp Server deployments using OpenID Connect (OIDC) authentication that allows unauthenticated attackers to create a Technician account, bypass MFA, and gain elevated access to managed endpoints and administrative functions.

Read more
help net securityNews
Jun 16, 2026
SimpleHelp RMM flaw could give attackers full access to managed endpoints (CVE-2026-48558) - Help Net Security

A critical authentication bypass vulnerability in SimpleHelp affecting deployments configured to use OpenID Connect (OIDC) authentication, allowing unauthenticated remote attackers to create a forged Technician account, bypass MFA on first login, and gain remote access to managed endpoints.

Read more
linuxsecurityNews
Jun 16, 2026
SimpleHelp OIDC Important Remote Access Risk CVE-2026-48558

An authentication bypass vulnerability in SimpleHelp OIDC authentication that can allow forged identity tokens to be accepted, enabling unauthorized technician access.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity46

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-48558
NVD
nvd.nist.gov/vuln/detail/CVE-2026-48558
MITRE CWE · CWE-347
Improper Verification of Cryptographic Signature
horizon3.ai
horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs
simple-help.com
simple-help.com/release-news
simple-help.com
simple-help.com/security/simplehelp-security-update-2026-05