A severe authentication bypass vulnerability (CVE-2026-48558) has been disclosed in SimpleHelp, a remote management and support application commonly utilized by enterprises and MSPs. Discovered via Horizon3.ai’s autonomous research pipeline “Sua Sponte,” the vulnerability stems from a total failure to verify the cryptographic signatures of OpenID Connect (OIDC) identity tokens. This allows remote, unauthenticated threat actors to forge tokens and gain full administrative (“Technician”) privileges over exposed servers, bypassing MFA under certain conditions. Given that roughly 14,000 SimpleHelp instances are currently exposed to the internet with approximately 7.2% utilizing the vulnerable OIDC configuration – immediate patching or mitigation is highly recommended.
Severity: Critical
Campaign Summary
- Vulnerability Identifier: CVE-2026-48558
- CVSS Score: 10.0
- CWE-347: Improper Verification of Cryptographic Signature
- Affected Software: SimpleHelp versions 5.5.15 and prior, and 6.0 pre-release versions (prior to RC2)
- Prerequisites for Attack: The SimpleHelp server must have OIDC authentication enabled and mapped to at least one TechnicianGroup.
- Threat Vector: Network (Remote, unauthenticated, zero user interaction required)
Technical Analysis & Exploitation Mechanism
- Root Cause: When OpenID Connect (OIDC) is configured to handle single sign-on (SSO) via an external Identity Provider (IdP), SimpleHelp accepts JSON Web Tokens (JWT) submitted during the login handshake without validating their cryptographic signature.
- Adversary Capability: An attacker can generate a completely forged JWT containing arbitrary identity claims. By passing this forged token to the authentication endpoint, the attacker can hijack or provision a new “Technician” account.
- Operational Impact: Once authenticated as a Technician, the attacker inherits full administrative capabilities, including the ability to initiate remote desktop control sessions on managed endpoints, execute arbitrary payloads/scripts, and monitor organization-wide infrastructure. Furthermore, mandatory MFA controls integrated at the IdP layer are completely bypassed.
Indicators Of Compromise & Detection Guidance
1. Application Audit Review
Administrators should audit the technician list via the SimpleHelp UI to search for unauthorized identities:
- Path: Administration -> Technicians -> Gear Icon -> Check “Show Group Authenticated Users”
- Action: Review the listed entities for anomalous or unrecognized technician profiles, unexpected domain email addresses, or accounts.
2. Server Log Analysis
- Path: Administration -> Server Logs
- System logs can also be found on the host at:
- /opt/SimpleHelp/logs/server.log
- /opt/SimpleHelp/logs//server.log
- Anomalies to Flag: Search for OIDC login events containing unfamiliar technician names or email aliases that do not match known enterprise rosters. Cross-reference successful technician authentications with network edge access logs to verify geographic and IP legitimacy.
- The [New Anon] tag in configuration save log entries is a strong indicator of unauthorized account creation.
Recommendations
- Upgrade SimpleHelp instances immediately to the patched releases provided in the May 2026 security update (Version 5.5.16 or 6.0 RC2 and later).
- Workaround: If immediate upgrading is unfeasible, navigate to Administration -> Login Security and apply strict IP restrictions to limit the network locations from which Technicians are allowed to authenticate.
- If OIDC integration is not strictly required by your enterprise architecture, disable the OIDC authentication flow entirely until security updates are completed. Ensure the SimpleHelp console itself is restricted behind a corporate VPN or Zero Trust Network Access (ZTNA) gateway rather than being directly exposed to the public internet.
Sources:
- https://horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs/
- https://simple-help.com/security/simplehelp-security-update-2026-05
- https://nvd.nist.gov/vuln/detail/CVE-2026-48558
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.
