Select your language

WHAT ARE YOU LOOKING FOR?

Popular Tags

Raleigh, NC

32°F
Clear Sky Humidity: 76%
Wind: 0.89 M/S

U.S. CISA Adds SimpleHelp Vulnerability to Known Exploited Vulnerabilities List

U.S. CISA Adds SimpleHelp Vulnerability to Known Exploited Vulnerabilities List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting SimpleHelp to its Known Exploited Vulnerabilities (KEV) catalog, highlighting active exploitation risks.

The flaw, identified as CVE‑2026‑48558 and assigned the maximum CVSS v3.1 score of 10.0, impacts SimpleHelp versions up to 5.5.15 as well as 6.0 pre-release builds. It stems from a failure to properly validate the cryptographic signature of identity tokens when OpenID Connect (OIDC) authentication is enabled. As a result, a remote attacker without authentication can forge identity tokens and gain full technician-level access. In certain configurations, the issue can even allow attackers to bypass multi-factor authentication (MFA) without requiring any user interaction.

The vulnerability was discovered by security researcher Zach Hanley of Horizon3.ai, who leveraged generative AI tools during the analysis.

SimpleHelp is widely used as a remote support platform, enabling organizations to remotely administer systems, troubleshoot issues, transfer files, and execute commands across endpoints. IT teams, managed service providers (MSPs), and support desks commonly rely on it to manage infrastructure without physical access.

Because these deployments often grant broad administrative privileges, a successful compromise can have severe consequences. Attackers who gain access to a SimpleHelp server can assume the same permissions as legitimate technicians, enabling them to move laterally within networks, deploy malware, and access or exfiltrate sensitive data.

According to Hanley’s technical findings, the issue affects systems configured with OIDC authentication. In environments where OIDC providers are linked to technician groups and group-based logins are permitted, attackers can create and authenticate a new technician account without prior credentials. Once in, they can perform privileged operations such as remote system access and script execution.

Even in environments with MFA protections, the vulnerability can undermine security controls. Since newly created technician accounts are allowed to enroll their own MFA methods at first login, attackers can effectively bypass enforcement measures.

Exploitation depends on specific configuration conditions, including enabled OIDC authentication, an associated identity provider linked to a TechnicianGroup, and activated group-based login permissions. While full exploitation details have not been publicly disclosed, researchers have released indicators of compromise (IoCs) to help organizations detect suspicious activity.

Security firm BlackPoint reported observing real-world attacks exploiting this vulnerability. During investigations, researchers identified two previously unknown malware strains TaskWeaver and Djinn Stealer linked to intrusions that began with successful exploitation of CVE‑2026‑48558. In these cases, attackers used the flaw to bypass authentication controls and establish technician sessions.

The exposure landscape for SimpleHelp has also expanded significantly. Since January 2025, the number of internet-facing SimpleHelp servers has reportedly grown from roughly 3,400 to nearly 14,000, with approximately 7.2% configured in a way that makes them vulnerable to this authentication bypass.

CISA’s inclusion of the flaw in the KEV catalog means federal civilian executive branch (FCEB) agencies are required to remediate the issue by a specified deadline under Binding Operational Directive (BOD) 22‑01, which aims to reduce the risk posed by actively exploited vulnerabilities. The agency has set July 2, 2026, as the deadline for federal systems to be secured against this threat.

CISA also strongly encourages private-sector organizations to review the KEV catalog and prioritize patching or mitigating listed vulnerabilities within their own environments.

This is not the first time SimpleHelp has drawn attention from CISA. In April 2026, the agency added two other SimpleHelp-related issues to the KEV list: CVE‑2024‑57726, involving missing authorization controls, and CVE‑2024‑57728, a path traversal vulnerability further underscoring the security risks associated with the platform if not properly maintained and updated.

Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post. 

Cybersecurity Insight delivers timely updates on global cybersecurity developments, including recent system breaches, cyber-attacks, advancements in artificial intelligence (AI), and emerging technology innovations. Our goal is to keep viewers well-informed about the latest trends in technology and system security, and how these changes impact our lives and the broader ecosystem

Please fill the required field.