CVE Tools
Back to blog

SimpleHelp's 10.0 auth bypass: forge a token, own the RMM (CVE-2026-48558)

A missing OIDC signature check lets an unauthenticated attacker become a privileged technician — and pivot into every machine SimpleHelp manages. KEV-listed, exploited in the wild.

SimpleHelp is remote-support / RMM software — the kind of tool that, by design, can remote into, transfer files to, and run scripts on every machine it manages. CVE-2026-48558 turns that reach against you: when SimpleHelp is configured for OIDC single sign-on, it accepts the identity token presented at login without verifying its cryptographic signature (CWE-347). A remote, unauthenticated attacker forges a token carrying arbitrary identity claims and is handed a fully authenticated Technician session — the most privileged role. From there, the blast radius is the whole managed estate.

What CVE-2026-48558 actually is

Per the vendor advisory and the GitHub Security Advisory (GHSA-m93h-gjv2-fmq2), identity tokens submitted during the OIDC login flow are accepted without verifying their cryptographic signature. That breaks the trust relationship between the identity provider and SimpleHelp: the attacker, not the IdP, decides who you are. Horizon3.ai — whose AI-driven research system discovered the flaw — deliberately withheld the exact mechanism, so whether the failure is alg:none, a never-fetched signing key, or an unvalidated issuer is not public. We describe it as signature-unverified / forged, not literally unsigned.

It gets worse for defenders relying on MFA. Because the forged identity is treated as a brand-new technician, the attacker can register their own MFA device during first login — so organizational MFA never applies (the token never traversed the real IdP). The resulting technician account can remote into managed endpoints, run scripts across connected clients, and execute code on the server itself.

The exploitation chain

The whole attack hinges on one decision gate: is Allow group authenticated logins enabled on an OIDC-linked TechnicianGroup? If not, the bug is not exploitable (patch anyway — config drifts). If yes, the chain runs unauthenticated, end to end, with no user interaction. The cheapest place to break it is that gate; the most durable is the patch.

CVE-2026-48558 exploitation chain — forged OIDC token to RMM-wide compromise

  1. Internet-facing SimpleHelp (≤ 5.5.15 / 6.0-pre, OIDC) — A SimpleHelp server reachable from the internet with the OIDC login flow enabled. ~14,000 exposed; ~7.2% in the vulnerable config (Horizon3 scans).
  2. OIDC group login enabled? — Needs an OIDC provider + a TechnicianGroup linked to it + 'Allow group authenticated logins' on. Disabling this is the cheapest chokepoint.
  3. Not exploitable — patch anyway — No vulnerable config = not exploitable. Keep it off and still upgrade; config can drift and the fix is in code.
  4. Forge signature-unverified OIDC JWT — Craft a JWT with arbitrary identity claims; SimpleHelp accepts it without checking the signature (CWE-347).
  5. Authenticated Technician session — The forged identity becomes a full Technician: remote control, script execution, file transfer across all managed endpoints.
  6. Self-enroll attacker MFA — First-login enrollment lets the attacker register their own MFA device; org/IdP MFA never applied.
  7. Push to managed endpoints — SimpleHelp itself becomes the delivery channel to downstream client machines. This scope change is why it scores 10.0.
  8. TaskWeaver loader (node.exe jquery.js) — A ~1.08 MB obfuscated Node.js loader masquerading as jquery.js, staged from a Cloudflare tunnel.
  9. Djinn Stealer — Cross-platform infostealer: SSH keys, cloud credentials, source-control/registry tokens, wallets. Beacons to a.dev-tunnels.com.
  10. Credentials stolen across the estate — Secrets harvested from every reachable managed host. Assume-breach cleanup required.

Am I affected?

You're exploitable only if all of these hold: you run an affected version, OIDC is configured, a TechnicianGroup is linked to that OIDC provider, and Allow group authenticated logins is enabled on it. That precondition is why only ~7.2% of internet-exposed servers are actually vulnerable (~1,000 of ~14,000, per Horizon3's own scans) — but you can't confirm it remotely, only on the server. Patch regardless: the fix is in code and config changes.

ItemDetail
AffectedSimpleHelp 5.5.15 and earlier; all 6.0 pre-release versions
FixedSimpleHelp 5.5.16 (5.5.x) and 6.0 RC2 (6.0) — released early-to-mid June 2026
PreconditionsOIDC provider configured + TechnicianGroup linked + 'Allow group authenticated logins' enabled + network reachable
Access requiredNone — remote, unauthenticated, no user interaction
ImpactFull technician session; remote control / script execution / file transfer to every managed endpoint; MFA bypass
Exposure~14,000 internet-facing servers; ~7.2% (~1,000) in the vulnerable OIDC config (Horizon3 scans)
StatusCISA KEV (added 2026-06-29); exploited in the wild; federal due date ~2026-07-02 under BOD 26-04's 3-day tier

Exploited in the wild

Blackpoint Cyber's Adversary Pursuit Group documented the first public in-the-wild abuse on June 29, 2026: an attacker bypassed OIDC on an internet-facing SimpleHelp server, obtained a technician session, and used it to deploy a Node.js loader (tracked as TaskWeaver, masquerading as jquery.js) that pulled down Djinn Stealer — a cross-platform infostealer targeting developer and cloud secrets: SSH keys, cloud credentials, source-control and package-registry tokens, and crypto wallets. The actor is currently unattributed, and no ransomware was observed in this activity.

Detection & hunting

Hunt in two places. On the SimpleHelp server, look for the forged-login tells Horizon3 published (single-origin, so corroborate locally). On managed endpoints, hunt the Blackpoint-reported malware indicators (also single-origin). Two of the network indicators are abused legitimate services, so scope alerts to traffic originating from SimpleHelp-managed hosts rather than blocking the domains outright.

  • Server log (/opt/SimpleHelp/logs/server.log and rotated copies): the literal strings Forged Attacker and [New Anon], plus any unexpected Registering technician login for <email>. An email of the form rapidresponse-<hex>@horizon3.ai indicates a Horizon3 test scan — benign, but it confirms the server is exploitable.
  • Rogue accounts: review Administration → Technicians (enable 'Show Group Authenticated Users') for unfamiliar technicians, and watch for a new technician self-enrolling its own MFA device.
  • Endpoint hashes (SHA-256): TaskWeaver loader 00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c; Djinn Stealer f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc.
  • Process: node.exe <path>\jquery.js (a ~1.08 MB single-line obfuscated 'jQuery').
  • Network (from managed hosts only): User-Agent telemetry-client/1.0; C2 a.dev-tunnels.com and staging *.trycloudflare.com (both abused legitimate Microsoft/Cloudflare tunnel services); exfil 96.126.130.126:58942 (Linode, likely ephemeral — pair with the UA).
# Preserve SimpleHelp logs + technician config BEFORE upgrading (KEV / BOD 26-04 triage)
tar czf /tmp/sh-triage-$(hostname).tgz /opt/SimpleHelp/logs/
grep -rEn 'Forged Attacker|\[New Anon\]|Registering technician login for|rapidresponse-.*@horizon3\.ai' /opt/SimpleHelp/logs/

What to do now

  1. Triage before you patch (if exposed + unpatched). The KEV 3-day tier mandates preserving evidence first — collect /opt/SimpleHelp/logs/, audit the technician roster, and grep for the indicators above. Upgrading a compromised box can destroy attacker traces.
  2. Upgrade to SimpleHelp 5.5.16 or 6.0 RC2. There is no partial fix.
  3. If you can't patch in time: disable Allow group authenticated logins on the OIDC TechnicianGroup (this removes the precondition — but ensure a break-glass local admin first), IP-restrict technician login, and put the interface behind a VPN. If the deadline is unmeetable, document a formal risk acceptance.
  4. If an MSP runs your SimpleHelp: escalate, get written confirmation of the patched build, and verify externally — you can't patch it yourself. An RMM compromise reaching your endpoints may trigger customer-notification and regulatory duties; loop in legal early.
  5. Assume-breach cleanup if you were exposed: delete rogue technicians, invalidate all sessions, rotate OIDC client secrets, and on managed endpoints rotate cloud credentials, SSH keys, and source-control/registry tokens — Djinn Stealer's whole purpose is theft of exactly those.

FAQ

Is CVE-2026-48558 being exploited?
Yes. CISA added it to the Known Exploited Vulnerabilities catalog on June 29, 2026, and Blackpoint Cyber documented in-the-wild use deploying the TaskWeaver loader and Djinn Stealer. The threat actor is unattributed.
Is it a remote, unauthenticated bug?
Yes — remote, unauthenticated, no user interaction. The one precondition is that SimpleHelp is configured for OIDC with a TechnicianGroup that has 'Allow group authenticated logins' enabled.
Which versions are affected and what's the fix?
SimpleHelp 5.5.15 and earlier, and all 6.0 pre-release versions, are affected. Upgrade to 5.5.16 or 6.0 RC2.
Does it bypass MFA?
It can. Because the forged identity is treated as a new technician, the attacker can register their own MFA device on first login, so organizational MFA does not protect the account.
Is there public exploit code?
Not as of June 30, 2026. Horizon3 withheld the technical mechanics and there is no public PoC or Nuclei template — but the bug is already exploited in the wild, so do not wait for one.

Sources

  • Horizon3.ai — SimpleHelp authentication bypass disclosure + IoCs (primary research): https://horizon3.ai/attack-research/disclosures/CVE-2026-48558-simplehelp-authentication-bypass-iocs/
  • GitHub Security Advisory GHSA-m93h-gjv2-fmq2 (root cause): https://github.com/advisories/GHSA-m93h-gjv2-fmq2
  • SimpleHelp — Security Update 2026-05 (vendor advisory): https://simple-help.com/security/simplehelp-security-update-2026-05
  • CISA — Adds One Known Exploited Vulnerability to Catalog (2026-06-29): https://www.cisa.gov/news-events/alerts/2026/06/29/cisa-adds-one-known-exploited-vulnerability-catalog
  • SecurityWeek — Critical SimpleHelp vulnerability exploited for malware delivery: https://www.securityweek.com/critical-simplehelp-vulnerability-exploited-for-malware-delivery/
  • Help Net Security — SimpleHelp vulnerability exploited (Blackpoint, TaskWeaver/Djinn): https://www.helpnetsecurity.com/2026/06/30/simplehelp-vulnerability-exploited-CVE-2026-48558/
  • The Hacker News — Attackers exploit SimpleHelp CVE-2026-48558: https://thehackernews.com/2026/06/attackers-exploit-simplehelp-cve-2026.html