A vulnerability in the SimpleHelp remote management software allows unauthenticated attackers to create privileged technician accounts on servers using the OpenID Connect (OIDC) authentication protocol.
The flaw is tracked as CVE-2026-48558 and received a critical severity rating. It impacts SimpleHelp versions 5.5.15 and older, as well as 6.0 pre-release versions.
Researchers at offensive security company Horizon3.ai explain that the issue is caused by how identity assertions received from an OIDC identity provider (IdP) are validated.
When OIDC authentication is enabled, an unauthenticated attacker can create and log in as a new Technician user without needing to go through the multi-factor authentication (MFA) process.
"This Technician, by default, can perform privileged management activities such as remoting into managed endpoints, executing scripts, and more," Horizon3.ai researcher Zach Hanley explains.
SimpleHelp fixed the vulnerability on June 9 by releasing versions 5.5.16 and 6.0RC2 of the product.
Impact scope
CVE-2026-48558 does not impact every SimpleHelp server running a vulnerable version; rather, it affects a subset that relies on the OIDC protocol, whether the generic one or Azure AD OIDC, both of them common in large enterprises.
As the researchers explain, there are several prerequisites for the exploit to work:
- OIDC authentication must be enabled
- at least one Technician Group must be associated with the OIDC provider
- the group must have “Allow group authenticated logins” enabled.
Results from Shodan show about 14,000 SimpleHelp servers exposed to the public internet.
Analysis of a random sample suggests that roughly 7.2% are configured to use OIDC authentication.
Additionally, Horizon3.ai found that the “Allow group authenticated logins” is enabled in many cases.
Organizations can defend against attacks leveraging the CVE-2026-48558 vulnerability by updating to the latest SimpleHelp releases that address the issue.
If updating is impossible, one mitigation is to restrict technician login sources using IP-based allowlists.
Rogue Technician account on SimpleHelpSource: Horizon3.ai
The researchers also shared indicators of compromise that can help detect active exploitation, such as new authenticated technician users with unknown or suspicious names and/or email addresses.
Additionally, the logs in ‘/opt/SimpleHelp/logs/server.log’ and ‘/opt/SimpleHelp/logs/<YYYYMMDD-HHMMSS>/server.log’ may contain technician registrations, email addresses, and configuration changes performed by rogue accounts.
Neither SimpleHelp nor Horizon3.ai has reported evidence of active exploitation.
However, given the product's history of attracting significant threat actor interest, organizations are advised to apply the available fixes or mitigations without delay.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
English (US) ·