SimpleHelp CVE-2026-48558 RMM Bypass Exploited

A critical SimpleHelp CVE-2026-48558 authentication bypass is letting attackers forge a login token and seize a fully authenticated technician session in the remote monitoring and management (RMM) software thousands of managed service providers use to run client networks. CISA added the flaw to its Known Exploited Vulnerabilities catalog on June 29, and researchers have already linked it to two new malware families deployed against downstream customers. If your IT operations are outsourced to a managed provider, this is the question to ask this week: has our vendor patched SimpleHelp?
What Happened
SimpleHelp CVE-2026-48558 (CVSS 10.0) is an authentication bypass in the software’s OpenID Connect (OIDC) login flow, present in version 5.5.15 and earlier plus the 6.0 pre-release build. When OIDC authentication is configured, SimpleHelp accepts identity tokens during login without first verifying their cryptographic signature. That single gap is enough: an unauthenticated remote attacker can forge a token containing arbitrary identity claims and be handed a full “Technician” session — the same level of access a legitimate support engineer has over every device the SimpleHelp server manages.
Blackpoint Cyber documented the exploitation chain in the wild. After establishing the forged session, attackers deployed an obfuscated JavaScript loader named TaskWeaver, delivered as a file called “jquery.js” from a temporary Cloudflare domain. TaskWeaver fingerprints the compromised device and pulls additional modules from its command-and-control server. Its main payload is Djinn Stealer, a cross-platform infostealer running on Windows, macOS, and Linux that harvests cloud provider credentials, identity tokens, Git configuration, GitHub CLI tokens, SSH keys, Docker credentials, package manager credentials, and — notably — configuration files used by AI coding assistants, where API keys and cloud tokens are frequently cached locally. Stolen data is packed into a TAR archive, compressed, and encrypted with AES-256-GCM before exfiltration.
CISA’s own analysis attributes the campaign to a well-resourced group with characteristics of initial-access-broker activity — deliberately targeting MSPs as a route into their downstream customers, rather than attacking end-customer networks directly.
Why It Matters
SimpleHelp is exactly the kind of tool that sits invisibly behind a managed IT relationship: your organization may never interact with it directly, yet it holds interactive remote-control access to every endpoint your provider manages. A forged token bypasses every downstream customer’s own security controls simultaneously, without a single phishing email or malware sample reaching the victim organization first. For DACH Mittelstand companies — where outsourced IT management via MSPs is the dominant delivery model for small and mid-sized organizations — this is a direct third-party risk, not a hypothetical one. Under NIS2 due-diligence obligations, this is precisely the class of supply-chain dependency that now requires documented vendor security assurance, not just an assumption that “our provider handles security.”
What You Should Do Now
- If you run SimpleHelp internally: upgrade immediately to version 5.5.16 or 6.0 RC2, whichever your deployment track supports.
- If SimpleHelp is managed by a third party: contact your MSP today and ask for written confirmation of the patched version and the date it was applied.
- Audit for compromise indicators regardless of patch status: unexpected Technician sessions in SimpleHelp logs, unfamiliar scheduled tasks, and outbound connections to Cloudflare-hosted domains serving unexpected JavaScript files with generic names like “jquery.js.”
- If OIDC authentication is not required for your SimpleHelp deployment, disable it as an immediate compensating control while the patch is confirmed.
If your MSP cannot confirm a patch timeline within 48 hours, treat that as a governance finding in its own right.
DIESEC Perspective
This is the second major “trusted third-party channel” compromise in nine days, after the Klue/Icarus SaaS integration attack on June 23. Where that incident abused a stolen OAuth credential inside a SaaS integration, SimpleHelp exploits the RMM channel directly — arguably a higher-trust relationship, since it grants interactive control rather than API-scoped access. Organizations that have never heard of SimpleHelp are still exposed if their outsourced IT provider runs it. Vendor security questionnaires need to start asking which RMM tool is in use and how quickly it gets patched.
Not sure whether your MSP’s RMM stack carries this exposure? Contact DIESEC for a third-party vendor security review.
Sources: The Hacker News | Blackpoint Cyber
Published: 2026-07-02 | Category: Vulnerabilities & Patches | ~4 min read

