A vulnerability in SimpleHelp distant administration software program may enable an unauthenticated attacker to create a privileged technician account on the server utilizing the OpenID Join (OIDC) authentication protocol.
This flaw is tracked as CVE-2026-48558 and has a severity ranking of Essential. This impacts SimpleHelp variations 5.5.15 and earlier and 6.0 pre-release variations.
Researchers from offensive safety agency Horizon3.ai clarify that the difficulty is brought on by the way in which identification assertions acquired from OIDC identification suppliers (IdPs) are validated.
When OIDC authentication is enabled, an unauthenticated attacker can create and log in a brand new technician consumer with out going via the multi-factor authentication (MFA) course of.
“By default, this technician can carry out privileged administrative actions equivalent to remoting and operating scripts on managed endpoints,” explains Horizon3.ai researcher Zach Hanley.
SimpleHelp mounted this vulnerability by releasing product variations 5.5.16 and 6.0RC2 on June ninth.
Scope of affect
CVE-2026-48558 doesn’t have an effect on all SimpleHelp servers operating weak variations. Moderately, it impacts a subset that depends upon the OIDC protocol, whether or not it is a generic protocol or Azure AD OIDC. Each are frequent in giant firms.
Because the researchers clarify, there are a number of stipulations for this exploit to work.
- OIDC authentication should be enabled
- No less than one technician group should be related to the OIDC supplier
- The group should have “Permit group authenticated login” enabled.
Based on Shodan outcomes, roughly 14,000 SimpleHelp servers are uncovered to the general public Web.
Analyzing a random pattern, we discover that roughly 7.2% are configured to make use of OIDC authentication.
Moreover, we discovered that “Permit login with group authentication” was enabled in lots of instances in Horizon3.ai.
Organizations can stop assaults that exploit the CVE-2026-48558 vulnerability by updating to the most recent SimpleHelp launch that addresses the difficulty.
If updates will not be potential, one mitigation technique is to make use of IP-based allowlists to restrict technician login sources.
Supply: Horizon3.ai
The researchers additionally shared indicators of compromise that may assist detect energetic exploitation, equivalent to new authenticated tech customers with unknown or suspicious names or electronic mail addresses.
Moreover, logs in “/decide/SimpleHelp/logs/server.log” and “/decide/SimpleHelp/logs/”
Neither SimpleHelp nor Horizon3.ai have reported any proof of energetic exploitation.
Nonetheless, given this product’s historical past of serious curiosity from risk actors, organizations are inspired to use any out there fixes or mitigations at once.
Safety groups doc 54% of profitable assaults and concern a warning on solely 14%. The remainder strikes invisibly via the surroundings.
Picus’ whitepaper exhibits the right way to take a look at your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
