A CVSS 10 flaw in SimpleHelp's remote-support software lets attackers log in as technicians without a password
The bug is a missing signature check on OIDC single sign-on tokens. Attackers are already using it to drop the Djinn Stealer infostealer, and CISA has it on the exploited-vulnerabilities list.

Janet Torvalds
July 7, 2026SimpleHelp, the remote-support and RMM tool that IT teams and managed service providers use to reach into other people's machines, shipped a fix for a flaw that lets an attacker skip the login entirely. CVE-2026-48558 carries a CVSS score of 10.0, the maximum. It is not theoretical. Attackers are already using it to plant an infostealer, and CISA has put it on the Known Exploited Vulnerabilities list with a remediation deadline of July 2.
The interesting part is how simple the bug is once you look at it.
What actually breaks
SimpleHelp supports single sign-on through OpenID Connect (OIDC). When a technician logs in that way, their identity provider hands SimpleHelp a signed token that says, in effect, "this person is who they claim to be." SimpleHelp's job is to check that signature before it trusts the token.
It did not check it properly. According to Horizon3.ai, which disclosed the flaw, the server failed to validate the signature on the OIDC assertion. So an attacker does not need to steal a token or crack a password. They can forge one, hand SimpleHelp a token they wrote themselves, and the server accepts it. That forged token can register and authenticate a brand new "Technician" account, and because the identity is asserted rather than verified, multi-factor authentication on the account never enters the picture.
A technician account is not a low-privilege foothold. In SimpleHelp it is the account that runs remote sessions on managed machines. On an RMM server, that is the point of the software.
Which servers are exposed
Three conditions have to line up for a server to be exploitable: OIDC authentication is enabled, a Technician Group is tied to the OIDC provider, and that group has "Allow group authenticated logins" turned on. A default install with local passwords is not in scope. A shop that wired SimpleHelp into its corporate SSO, which is the configuration most larger deployments end up in, very much is.
Daily Security Review put the number of internet-exposed SimpleHelp servers at roughly 14,000. Not all of them meet the three OIDC conditions, so treat that as the outer bound on the blast radius rather than a count of vulnerable hosts.
It is being used
Help Net Security reported that attackers are exploiting CVE-2026-48558 to deliver Djinn Stealer, a credential- and data-harvesting payload, to machines reachable through compromised SimpleHelp servers. That is the RMM supply-chain problem in one sentence: compromise one management server and you inherit access to every endpoint it manages, which for a managed service provider means its clients. CISA's July 2 deadline applies to federal civilian agencies, but the exploitation is not limited to them.
What to do
Upgrade. SimpleHelp fixed the validation in version 5.5.16 and in the 6.0 RC2 pre-release. Everything at 5.5.15 or earlier, and every 6.0 pre-release build before RC2, is affected.
If you cannot patch immediately, the practical mitigation is to take away the conditions the exploit needs. Go into each Technician Group that uses OIDC and switch it back to local password authentication until you can update. That closes the path without waiting for a maintenance window.
One more thing worth doing after you patch: assume the window between disclosure and your update was long enough to matter, and go looking for Technician accounts you did not create. A forged login leaves an account behind.
Sources (6)
- CVE-2026-48558: SimpleHelp OIDC Auth Bypasshorizon3.ai
- CVE-2026-48558: SimpleHelp Auth Bypass IOCshorizon3.ai
- SimpleHelp vulnerability exploited to deliver Djinn Stealerwww.helpnetsecurity.com
- Recommendations for CVE-2026-48558arcticwolf.com
- CVE-2026-48558 Exposes 14,000 SimpleHelp RMM Serversdailysecurityreview.com
- CVE-2026-48558 SimpleHelp RMM Authentication Bypass (CISA KEV)threat-modeling.com