CVE-2026-48558: A Critical Vulnerability in SimpleHelp Remote Management Software
A vulnerability in the SimpleHelp remote management software, tracked as CVE-2026-48558, has been discovered, allowing unauthenticated attackers to create privileged technician accounts on servers using the OpenID Connect (OIDC) authentication protocol. This flaw has received a critical severity rating and impacts SimpleHelp versions 5.5.15 and older, as well as 6.0 pre-release versions.
Causes and Consequences of the Vulnerability
According to researchers at Horizon3.ai, an offensive security company, the issue is caused by how identity assertions received from an OIDC identity provider (IdP) are validated. When OIDC authentication is enabled, an unauthenticated attacker can create and log in as a new Technician user without needing to go through the multi-factor authentication (MFA) process.
Zach Hanley, a researcher at Horizon3.ai, explains that "This Technician, by default, can perform privileged management activities such as remoting into managed endpoints, executing scripts, and more."
Impact Scope and Prerequisites for Exploitation
CVE-2026-48558 does not impact every SimpleHelp server running a vulnerable version; rather, it affects a subset that relies on the OIDC protocol, whether the generic one or Azure AD OIDC, both common in large enterprises. There are several prerequisites for the exploit to work: OIDC authentication must be enabled, at least one Technician Group must be associated with the OIDC provider, and the group must have “Allow group authenticated logins” enabled.
Results from Shodan show about 14,000 SimpleHelp servers exposed to the public internet. Analysis of a random sample suggests that roughly 7.2% are configured to use OIDC authentication. Additionally, Horizon3.ai found that the “Allow group authenticated logins” is enabled in many cases.
Mitigations and Fixes
Organizations can defend against attacks leveraging the CVE-2026-48558 vulnerability by updating to the latest SimpleHelp releases that address the issue. If updating is impossible, one mitigation is to restrict technician login sources using IP-based allowlists.
The researchers also shared indicators of compromise that can help detect active exploitation, such as new authenticated technician users with unknown or suspicious names and/or email addresses. Additionally, the logs in ‘/opt/SimpleHelp/logs/server.log’ and ‘/opt/SimpleHelp/logs/
Conclusion and Recommendations
Neither SimpleHelp nor Horizon3.ai has reported evidence of active exploitation. However, given the product's history of attracting significant threat actor interest, organizations are advised to apply the available fixes or mitigations without delay.
SimpleHelp fixed the vulnerability on June 9 by releasing versions 5.5.16 and 6.0RC2 of the product. It is essential for organizations to test every layer of their security before attackers do, as security teams log only 54% of successful attacks and alert on just 14%.
- Update to the latest SimpleHelp releases that address the issue.
- Restrict technician login sources using IP-based allowlists if updating is impossible.
- Monitor logs for indicators of compromise.
Test every layer before attackers do. Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
For more information on how to protect against such vulnerabilities, visit the Picus website to get the whitepaper on breach and attack simulation.
Source: BleepingComputer