U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a SimpleHelp flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a SimpleHelp flaw, tracked as CVE-2026-48558 (CVSS score v3.1 of 10.0), to its Known Exploited Vulnerabilities (KEV) catalog.

CVE-2026-48558 is a critical authentication bypass vulnerability in SimpleHelp versions 5.5.15 and earlier and 6.0 pre-release versions. When OIDC authentication is enabled, the software fails to verify the cryptographic signature of identity tokens, allowing a remote, unauthenticated attacker to forge a token and gain a fully authenticated technician session. In some configurations, the flaw can also bypass multi-factor authentication (MFA), with no user interaction required.

The researcher Zach Hanley (@hacks_zach) of Horizon3.ai discovered the vulnerability with the help of generative AI.

SimpleHelp is a remote support and remote access platform that organizations use to provide technical assistance, manage endpoints, and access computers over the internet. It is commonly deployed by IT departments, managed service providers (MSPs), and help desks to troubleshoot devices, transfer files, run remote commands, and perform system administration without being physically present.

Because SimpleHelp servers often provide privileged access to many customer systems, vulnerabilities in the platform can be particularly dangerous. If attackers compromise a SimpleHelp server, they may gain the same level of access as legitimate technicians, potentially allowing them to move laterally across networks, deploy malware, or steal sensitive data.

“The vulnerability identified affects servers configured to use either version of OIDC and is rooted in the way that SimpleHelp validates the IdP assertions. In many SimpleHelp deployments that have OIDC-type authentication enabled, an unauthenticated attacker can create and authenticate as a new “Technician” user. This Technician, by default, can perform privileged management activities such as remoting into managed endpoints, executing scripts, and more.” reads a technical analysis published by Hanley.

“Even when the SimpleHelp server is configured to enforce MFA for technicians, this issue allows the attacker to bypass this mechanism because on first login, technicians can self-register their own MFA method.”

The researcher pointed out that the flaw can be exploited only if OIDC authentication is enabled, an OIDC provider is linked to a TechnicianGroup, and the “Allow group authenticated logins” option is enabled. Researchers have withheld technical details but released indicators of compromise to help organizations detect potential exploitation.

BlackPoint researchers first observed attacks in the wild exploiting this vulnerability.

“The Adversary Pursuit Group identified two previously undiscovered malware samples, TaskWeaver and Djinn Stealer.” states the report published by BlackPoint. “The intrusion began with confirmed exploitation of CVE-2026-48558, allowing the attacker to bypass SimpleHelp OIDC authentication and obtain a technician session.”

Since January 2025, exposed SimpleHelp servers have risen from about 3,400 to nearly 14,000. Of those, around 7.2% were found configured with the vulnerable OIDC authentication method, according to the expert.

Hanley also published Indicators of Compromise (IoCs) for this attack.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by the end of this week, on July 2nd, 2026.

In April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two other SimpleHelp flaws to the KeV Catalog:

• CVE-2024-57726 SimpleHelp Missing Authorization Vulnerability
• CVE-2024-57728 SimpleHelp Path Traversal Vulnerability

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)