CVE-2026-48558
published 2026-06-12CVE-2026-48558: SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC…
PriorityP198critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-07-02
Exploited in the wild
EPSS
1.22%
64.9th percentile
SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. No user interaction is required.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simple-help | simplehelp | < 5.5.16 | 5.5.16 |
| simple-help | simplehelp | — | — |
| simplehelp | simplehelp | >= 5.5.0 < 5.5.16 | 5.5.16 |
| simplehelp | simplehelp | >= 6.0 < 6.0 RC2 | 6.0 RC2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Hunt for new authenticated Technician accounts with unknown or suspicious names and/or email addresses — these are a primary indicator of CVE-2026-48558 exploitation. ↗
- →Detect TaskWeaver loader activity by monitoring for node.exe executing a file named jquery.js — a masquerading technique used to blend in with legitimate JavaScript libraries. ↗
- →Monitor for outbound encrypted connections from managed endpoints to 'a.dev-tunnels[.]com', used by TaskWeaver as its C2 channel. ↗
- →Monitor for outbound connections to 96.126.130[.]126 on port 58942, used for exfiltration of TAR/GZIP/AES-256-GCM encrypted data by Djinn Stealer. ↗
- →On Linux endpoints managed by SimpleHelp, alert on processes reading /proc/<pid>/cmdline and /proc/<pid>/environ in bulk, indicative of Djinn Stealer credential harvesting. ↗
- ·CVE-2026-48558 only affects SimpleHelp servers with OIDC authentication configured (generic OIDC or Azure AD OIDC); servers using other authentication methods are not vulnerable. ↗
- ·MFA enforcement does not mitigate this vulnerability — on first login, the attacker-controlled Technician account can self-register its own MFA method, bypassing the control entirely. ↗
- ·If patching to 5.5.16 / 6.0RC2 is not immediately possible, restricting technician login sources via IP-based allowlists is a documented interim mitigation. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.5CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
SimpleHelp Authentication Bypass Vulnerability
cisa·2026-06-29·CVSS 10.0
CVE-2026-48558 [CRITICAL] CWE-347 SimpleHelp Authentication Bypass Vulnerability
Vulnerability: SimpleHelp Authentication Bypass Vulnerability
Affected: SimpleHelp SimpleHelp
SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication.
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forens
VulDB
SimpleHelp up to 5.5.15/6.0 RC1 Multi-Factor Authentication signature verification
vuldb·2026-06-12·CVSS 10.0
CVE-2026-48558 [CRITICAL] SimpleHelp up to 5.5.15/6.0 RC1 Multi-Factor Authentication signature verification
A vulnerability classified as critical has been found in SimpleHelp up to 5.5.15/6.0 RC1. Affected is an unknown function of the component Multi-Factor Authentication. Performing a manipulation results in improper verification of cryptographic signature.
This vulnerability is reported as CVE-2026-48558. The attack is possible to be carried out remotely. No exploit exists.
It is recommended to upgrade the affected component.
GHSA
SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow.
ghsa_unreviewed·2026-06-12
CVE-2026-48558 [CRITICAL] CWE-347 SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow.
SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. No user interaction is required.
GHSA
ImageMagick has an Out-of-bounds Write via InterpretImageFilename
ghsa·2026-03-26
CVE-2026-33536 [MEDIUM] CWE-121 ImageMagick has an Out-of-bounds Write via InterpretImageFilename
ImageMagick has an Out-of-bounds Write via InterpretImageFilename
Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write.
```
==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8
WRITE of size 1 at 0x00016b9b7490 thread T0
```
VulnCheck
SimpleHelp Authentication Bypass Vulnerability
vulncheck·2026·CVSS 10.0
CVE-2026-48558 [CRITICAL] CWE-347 SimpleHelp Authentication Bypass Vulnerability
SimpleHelp Authentication Bypass Vulnerability
SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication.
Affected: SimpleHelp SimpleHelp
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Req
No detection rules found.
No public exploits indexed.
Hackernews
Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer
blogs_hackernews·2026-06-30·CVSS 10.0
CVE-2026-48558 [CRITICAL] Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer
An unknown threat actor has been observed exploiting a recently disclosed maximum-severity security flaw in SimpleHelp to deliver two previously unreported malware families, TaskWeaver and Djinn Stealer .
The intrusion involves the exploitation of CVE-2026-48558 (CVSS score: 10.0), a critical authentication bypass vulnerability impacting the OpenID Connect (OIDC) flow that an unauthenticated attacker could exploit to obtain a fully authenticated "Technician session by submitting a forged token containing arbitrary identity claims.
"TaskWeaver
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
Bleepingcomputer
SimpleHelp bug lets hackers create rogue remote support accounts
blogs_bleepingcomputer·2026-06-15·CVSS 10.0
CVE-2026-48558 [CRITICAL] SimpleHelp bug lets hackers create rogue remote support accounts
## SimpleHelp bug lets hackers create rogue remote support accounts
## Bill Toulas
A vulnerability in the SimpleHelp remote management software allows unauthenticated attackers to create privileged technician accounts on servers using the OpenID Connect (OIDC) authentication protocol.
The flaw is tracked as CVE-2026-48558 and received a critical severity rating. It impacts SimpleHelp versions 5.5.15 and older, as well as 6.0 pre-release versions.
Researchers at offensive security company Horizon3.ai explain that the issue is caused by how identity assertions received from an OIDC identity provider (IdP) are validated.
When OIDC authentication is enabled, an unauthenticated attacker can create and log in as a new Technician user without needing to go through the multi-factor authentica
https://horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs/https://simple-help.com/release-newshttps://simple-help.com/security/simplehelp-security-update-2026-05https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48558
2026-06-12
Published
2026-06-29
Added to CISA KEV
Exploited in the wild