SimpleHelp CVE-2026-48558 authentication-bypass exploitation

Summary

CVE-2026-48558 is an authentication-bypass vulnerability in SimpleHelp's OIDC authentication flow. CISA added the flaw to the Known Exploited Vulnerabilities catalog on June 29, 2026, citing known exploitation and a July 2, 2026 remediation due date for covered agencies.

CISA says vulnerable SimpleHelp deployments accept identity tokens submitted during login without verifying their cryptographic signature when OIDC authentication is configured. In that configuration, a remote unauthenticated attacker can submit a forged token with arbitrary identity claims to obtain a fully authenticated technician session; in some configurations, this may also bypass multi-factor authentication.

Tags

• ops
• operations
• active exploitation
• CISA KEV
• SimpleHelp
• CVE-2026-48558
• authentication bypass
• OIDC
• token forgery
• remote support
• RMM
• technician session
• MFA bypass
• incident response

Why this matters

• SimpleHelp is a self-hosted remote support, remote access, and RMM platform. A technician-session bypass gives an attacker a direct administrative path into support workflows and managed endpoints.
• The bug sits in an identity boundary rather than a post-auth feature: forged identity claims can become an authenticated technician session when OIDC is enabled and the deployment is vulnerable.
• CISA's KEV addition converts the issue from vendor patch notice to confirmed active-exploitation risk; patching should be paired with authentication, session, and managed-endpoint review.
• Remote-support systems are common ransomware and intrusion pivots because they already hold trusted control channels, endpoint inventory, and operator credentials.

Public vulnerability detail

• Affected product: SimpleHelp remote support / remote access / RMM server.
• Affected versions: SimpleHelp's June 2026 security notice says v5.5.15 and earlier v5.5.x releases may be vulnerable, and that the prerelease v6.0 line also requires the 6.0 RC2 security update. Use the vendor notice as source of truth for branch-specific fixes.
• Vulnerability class: improper verification of cryptographic signature (CWE-347) in the OIDC login flow.
• Access requirement: remote and unauthenticated against a vulnerable OIDC-enabled deployment, per CISA.
• Impact: forged identity claims can create a fully authenticated technician session; MFA may be bypassed in some configurations.
• Known exploitation: CISA KEV date added 2026-06-29; known ransomware use listed as unknown.
• Fixes named by vendor: SimpleHelp 5.5.16 for v5.5.x users and SimpleHelp 6.0 RC2 for v6.0 users. SimpleSetup custom update URL: https://simple-help.com/releases/5.5.16_202605.

SimpleHelp's notice says not all servers can be exploited and that exploitability depends on server settings and network context. It also says full vulnerability, impact, and compromise-characteristics details will be published later; defenders should not wait for the postmortem before patching and triage.

Defender heuristics

1. Inventory all SimpleHelp servers, especially internet-facing, partner-facing, MSP, helpdesk, and externally reachable support portals.
2. Determine whether OIDC authentication is configured. Treat OIDC-enabled SimpleHelp v5.5.15-and-earlier and vulnerable v6.0 prerelease deployments as emergency patch candidates.
3. Apply SimpleHelp 5.5.16 or 6.0 RC2 according to the vendor notice; CISA's KEV remediation due date is July 2, 2026.
4. Preserve SimpleHelp web, application, authentication, OIDC/IdP, reverse-proxy, EDR, and operating-system logs before aggressive cleanup where feasible.
5. Hunt for unusual technician logins, new or modified technician/admin accounts, unexpected OIDC subjects/claims, failed/successful login bursts, MFA anomalies, impossible travel, or sessions not backed by normal IdP token-signing telemetry.
6. Review SimpleHelp sessions and downstream endpoint actions during the exposure window: remote-control sessions, file transfers, script execution, service installation, credential prompts, and configuration changes.
7. Rotate or revoke credentials and API tokens accessible from the SimpleHelp host or technician accounts after containment; remote-support compromise should be handled as an identity and endpoint-management incident.
8. Restrict SimpleHelp administration and technician access behind VPN/SSO/network allow-lists, require strong IdP signing validation, and alert on technician-session creation paths that do not correlate to expected IdP events.

Related pages

• ConnectWise ScreenConnect exploitation wave
• FortiClient EMS CVE-2026-35616 EKZ Infostealer campaign
• Quest KACE SMA CVE-2025-32975 exploitation

Sources

• CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• SimpleHelp security update 2026-05: https://simple-help.com/security/simplehelp-security-update-2026-05
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48558