A critical vulnerability has been discovered in the SimpleHelp remote management software, enabling attackers to create privileged technician accounts without authentication using the OpenID Connect (OIDC) authentication protocol.
Identified as CVE-2026-48558, the flaw affects SimpleHelp versions 5.5.15 and older, as well as pre-release versions of 6.0.
Researchers from Horizon3.ai, an offensive security company, elucidate that the vulnerability stems from the improper validation of identity assertions received from an OIDC identity provider (IdP).
With OIDC authentication enabled, a malicious actor can create and access a new Technician user without undergoing the multi-factor authentication (MFA) process, granting them unauthorized access to perform management tasks such as remote endpoint control and script execution.
According to Horizon3.ai researcher Zach Hanley, SimpleHelp addressed the issue on June 9 by releasing versions 5.5.16 and 6.0RC2.
CVE-2026-48558 affects a subset of SimpleHelp servers that utilize the OIDC protocol, including the generic version and Azure AD OIDC, commonly found in large enterprises.
Exploiting the vulnerability necessitates specific conditions:
Approximately 14,000 SimpleHelp servers are exposed to the public internet based on Shodan data, with around 7.2% configured for OIDC authentication.
Organizations are urged to update to the latest SimpleHelp versions to mitigate the risk posed by CVE-2026-48558. Alternatively, restricting technician login sources via IP-based allowlists can offer a protective measure.
Horizon3.ai also provides indicators of compromise for detecting active exploitation, such as new authenticated technician users with suspicious details and relevant logs containing registration information and configuration alterations performed by unauthorized accounts.
While there is no evidence of active exploitation reported by SimpleHelp or Horizon3.ai, organizations should promptly implement available fixes and mitigations due to the software’s history of attracting malicious interest.
Security teams detect only 14% of successful attacks, leaving the majority unnoticed in your environment. Picus’s whitepaper demonstrates how breach and attack simulation enhances SIEM and EDR rule efficacy to prevent threats from evading detection.
Get the whitepaper
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
