Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2026-48558: SimpleHelp OIDC Auth Bypass Used to Deploy Infostealer Payloads
Table Of Content
Free Dark Web Report
Is your Domain/Email Exposed?
Related Articles
SOCRadar® Cyber Intelligence Inc. | Klue Breach: What You Need to Know
Klue Breach: What You Need to Know
Jun 24, 2026
SOCRadar® Cyber Intelligence Inc. | WhatsApp VBScript Campaign Installs ManageEngine Endpoint Central for Persistent Remote Access
WhatsApp VBScript Campaign Installs ManageEngine Endpoint Central for Persistent Remote Access
Jun 23, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20253: CISA Warns of Actively Exploited Splunk Enterprise RCE
CVE-2026-20253: CISA Warns of Actively Exploited Splunk Enterprise RCE
Jun 19, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-42530 & CVE-2026-42055: F5 Patches NGINX Vulnerabilities
CVE-2026-42530 & CVE-2026-42055: F5 Patches NGINX Vulnerabilities
Jun 19, 2026
SOCRadar® Cyber Intelligence Inc. | SOCRadar Launches Free FortiBleed Exposure Checker and Publishes the Most Extensive Dataset on the Fortinet Credential Leak
SOCRadar Launches Free FortiBleed Exposure Checker and Publishes the Most Extensive Dataset on the Fortinet Credential Leak
Jun 17, 2026
Jun 30, 2026
7 Mins Read
Moon

CVE-2026-48558: SimpleHelp OIDC Auth Bypass Used to Deploy Infostealer Payloads

CVE-2026-48558 is a critical authentication bypass affecting SimpleHelp, a remote support and RMM (remote monitoring and management) platform often used for technician access into managed environments. The issue occurs when SimpleHelp is configured to use OpenID Connect (OIDC) in a specific, vulnerable way.

By late June 2026, defenders tied real-world exploitation to infostealer delivery, and the vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

This post breaks down what the flaw is, when you are actually exposed, what attackers are doing with it, and what to prioritize now.

What Is CVE-2026-48558?

CVE-2026-48558 is an OIDC authentication bypass in SimpleHelp caused by improper verification of a cryptographic signature. In affected builds and configurations, SimpleHelp accepts OIDC identity tokens during login without validating the token’s signature.

That gap lets an unauthenticated attacker forge an identity token and obtain a fully authenticated technician session. In an RMM product, a technician access is a high-trust control plane that can be abused to reach endpoints and customers downstream.

CISA has also added CVE-2026-48558 to the KEV Catalog, elevating the issue to a formally prioritized federal remediation item. Its July 2, 2026 due date under BOD 26-04 reflects the short timeline agencies have to take action. | SOCRadar’s Vulnerability Intelligence | For organizations that use SimpleHelp in MSP-style environments, the risk can grow quickly. A single compromised technician session may become a pivot point into multiple customer environments, making response and credential hygiene just as important as patching.

Details of CVE-2026-48558 (SOCRadar Vulnerability Intelligence)

Details of CVE-2026-48558 (SOCRadar Vulnerability Intelligence)

 

Which SimpleHelp Versions Are Affected?

The impacted ranges reported publicly include:

  • 5.5.1 through 5.5.15
  • 6.0 pre-release builds prior to 6.0 RC2

Fixed guidance:

  • Upgrade to 5.5.16 or later
  • For the 6.0 track, move to 6.0 RC2 or later, and ideally the public 6.0 release or later

If you run a beta or release candidate build, do not assume you are safe just because it says “6.0”. The pre-release cutoff matters.

When Is CVE-2026-48558 Actually Exploitable?

Exploitability is not universal; it depends entirely on your OIDC configuration. You are not exploitable via this specific bypass if:

  • You are not using OIDC at all, or
  • You use OIDC but no Technician Groups are configured for OIDC authentication with “Allow group authenticated logins” enabled

SimpleHelp also notes that technician login IP restrictions and authentication filters can block login attempts depending on policy. That does not replace patching, but it can buy time if you need a short containment window.

How Does Exploitation Work in Practice?

At a high level, the attack flow is:

  • The attacker targets a SimpleHelp deployment where OIDC is enabled in a vulnerable configuration.
  • They submit a crafted OIDC identity token.
  • Because the server does not verify the token signature, it accepts the attacker’s identity claims.
  • The attacker lands in a technician session without valid credentials.

From there, the attacker can abuse SimpleHelp like a legitimate operator. In an RMM context, that typically means remote execution, file transfer, and broad access to managed endpoints, depending on segmentation and the privileges assigned to technician groups.

Is There Active Exploitation?

Yes. Public reporting tied exploitation of CVE-2026-48558 to an intrusion chain that delivers an infostealer.

Observed tooling in this chain includes:

  • TaskWeaver, an obfuscated Node.js loader reported masquerading as jquery.js and executed with a command pattern consistent with:
  • node.exe <path>jquery.js
  • Djinn Stealer, a cross-platform infostealer targeting Windows, macOS, and Linux

The operational point is that this is not limited to an RMM server compromise. The follow-on objective appears to be credential and token theft from reachable systems, including browser data, SSH material, cloud and developer tokens, and other secrets that can expand access beyond the initial SimpleHelp foothold.

CISA has also added CVE-2026-48558 to the KEV Catalog, elevating the issue to a formally prioritized federal remediation item. Its July 2, 2026 due date under BOD 26-04 reflects the short timeline agencies have to take action. | SOCRadar’s Vulnerability Intelligence | For organizations that use SimpleHelp in MSP-style environments, the risk can grow quickly. A single compromised technician session may become a pivot point into multiple customer environments, making response and credential hygiene just as important as patching.

CISA KEV addition for CVE-2026-48558 in SimpleHelp

CISA KEV addition for CVE-2026-48558 in SimpleHelp

CISA has also added CVE-2026-48558 to the KEV Catalog, elevating the issue to a formally prioritized federal remediation item. Its July 2, 2026 due date under BOD 26-04 reflects the short timeline agencies have to take action.

CISA has also added CVE-2026-48558 to the KEV Catalog, elevating the issue to a formally prioritized federal remediation item. Its July 2, 2026 due date under BOD 26-04 reflects the short timeline agencies have to take action. | SOCRadar’s Vulnerability Intelligence | For organizations that use SimpleHelp in MSP-style environments, the risk can grow quickly. A single compromised technician session may become a pivot point into multiple customer environments, making response and credential hygiene just as important as patching.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

For organizations that use SimpleHelp in MSP-style environments, the risk can grow quickly. A single compromised technician session may become a pivot point into multiple customer environments, making response and credential hygiene just as important as patching.

The issue is also a reminder that SSO integrations can become high-impact failure points when token validation is handled incorrectly. SOCRadar Cyber Threat Intelligence gives your organization one place to track vulnerability developments, exploitation signals, threat actor activity, and related indicators, helping your team prioritize response when trusted remote access systems are at risk.

What Should Defenders Do Right Now?

Patch and validate the fix

  • Upgrade SimpleHelp to 5.5.16+ or 6.0 RC2+ (or the public 6.0 release+).
  • After patching, confirm the vulnerable OIDC behavior is no longer present and that risky OIDC group settings were not kept unintentionally.

Reduce exposure if you cannot patch immediately

  • If feasible, disable OIDC SSO until you can upgrade safely.
  • Restrict access to the SimpleHelp server. Limit who can reach the management and technician login surfaces.
  • Enforce technician login IP restrictions and confirm authentication filters work as intended.

Hunt for signs of unauthorized technician access

Focus on indicators consistent with the bypass result:

  • Review the technician list for unfamiliar entries, especially “group authenticated users” that do not match expected identities.
  • Review server logs for unfamiliar technician names or email addresses associated with authentication events.

Treat this as a credential exposure event

Because confirmed campaigns delivered an infostealer, assume sensitive material reachable from impacted systems may be compromised:

  • Rotate credentials and tokens accessible from the SimpleHelp server and any endpoints it could reach.
  • Prioritize high-value secrets: SSO tokens, cloud credentials, source control access, package registry tokens, SSH keys, and administrative browser sessions.
  • If you suspect intrusion, scope laterally. RMM compromise often leads to broader deployment, not a single-host action.

Track the timeline for incident scoping

Key public milestones can help anchor investigations:

  • June 12, 2026: public vulnerability reporting and defender-focused compromise checks began circulating
  • June 29, 2026: widespread reporting connected exploitation to Djinn Stealer, and KEV status reflected active exploitation

If your logs show anomalous technician authentication patterns starting in that window, treat them as high priority for triage.