Critical (10.0) Actively Exploited

SimpleHelp OIDC auth bypass actively exploited (CVE-2026-48558)

CVE-2026-48558

CVE-2026-48558: SimpleHelp 5.5.15 & 6.0 pre-release OIDC auth bypass grants unauthenticated admin session. Actively exploited. Update to 5.5.16 or later.

Actively exploited in the wild - CVE-2026-48558 is a critical authentication bypass in SimpleHelp versions 5.5.15 and prior and all 6.0 pre-release builds that lets unauthenticated attackers forge OIDC tokens to obtain a fully privileged technician session. Patched in SimpleHelp 5.5.16 - update immediately if you use OIDC authentication.

Overview

CVE-2026-48558 abuses the OIDC (OpenID Connect) authentication flow in SimpleHelp remote support software. When OIDC is enabled, the application accepts identity tokens submitted during login without verifying their cryptographic signature. This means an attacker can craft a fake token containing arbitrary user claims - including role and organization identifiers - and present it to the login endpoint to authenticate as any user, including a technician with full administrative access.

The vulnerability carries a CVSS score of 10.0 (Critical) due to its network-based attack vector, low complexity, no required privileges, and no user interaction. In some deployments where MFA is enforced through the OIDC provider, this bypass also circumvents multi-factor authentication because the forged token is accepted as a valid completed authentication.

Impact

A remote, unauthenticated attacker exploiting CVE-2026-48558 gains:

  • A fully authenticated technician session in the SimpleHelp console
  • Full remote control over attended and unattended endpoints managed by the server
  • Access to session recordings, file transfers, and chat logs
  • Ability to deploy arbitrary commands or payloads to connected devices

The EPSS probability score is 0.7%, indicating low widespread exploitation in the next 30 days, but CISA has confirmed active exploitation in the wild, making this a high-priority fix for any organization using SimpleHelp with OIDC.

Remediation

SimpleHelp has released version 5.5.16 which applies proper cryptographic signature verification to all OIDC identity tokens. Users running SimpleHelp 5.5.15 or earlier, or any 6.0 pre-release build, should upgrade to 5.5.16 immediately. If upgrading is not possible in the short term, disable OIDC authentication and fall back to local SimpleHelp accounts as a compensating control. Audit all existing OIDC sessions for signs of unauthorized access.

Security Insight

CVE-2026-48558 is a textbook case of vendors shipping OIDC integration without enforcing the most basic security property of the protocol - token signature verification. This mirrors similar flaws in other remote access tools (e.g., CVE-2023-23397 in Microsoft Teams) where identity assertion trust was assumed rather than validated. For organizations that centralize authentication through OIDC/SSO, this highlights the need to test that token validation is enforced at the application layer, not just assumed from the protocol implementation.

Stay informed with the latest cybersecurity news at security news and review data breach reports at breach reports.

Further Reading

Share:

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Related Advisories

Related Across Yazoul

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.