A significant security flaw has been identified in **SimpleHelp** remote management software, allowing unauthenticated attackers to bypass security protocols and establish privileged technician accounts. The vulnerability, tracked as **CVE-2026-48558**, has been assigned a critical severity rating and affects **SimpleHelp** versions 5.5.15 and older, as well as 6.0 pre-release versions. ### The Vulnerability Explained Researchers at offensive security company **Horizon3.ai** discovered that the issue stems from inadequate validation of identity assertions received from an **OIDC** identity provider (**IdP**). When **OIDC** authentication is enabled, an attacker can create and log in as a new Technician user without needing to complete the multi-factor authentication (**MFA**) process. **Zach Hanley**, a researcher at **Horizon3.ai**, explained, "This Technician, by default, can perform privileged management activities such as remoting into managed endpoints, executing scripts, and more." ### Patches and Impact **SimpleHelp** addressed the vulnerability on June 9, releasing patched versions 5.5.16 and 6.0RC2 of the product. While the flaw carries a critical rating, it does not affect all **SimpleHelp** servers. It specifically targets those configured to use the **OIDC** protocol, including generic **OIDC** and **Azure AD OIDC**, which are common in larger enterprises. For the exploit to succeed, several conditions must be met: * **OIDC** authentication must be enabled. * At least one Technician Group must be associated with the **OIDC** provider. * The group must have “Allow group authenticated logins” enabled. Shodan scans reveal approximately 14,000 **SimpleHelp** servers exposed to the public internet. Analysis suggests that around 7.2% of these are configured for **OIDC** authentication, with **Horizon3.ai** noting that the "Allow group authenticated logins" setting is frequently enabled. ### Mitigation Strategies Organizations are strongly advised to update to the latest **SimpleHelp** releases immediately to patch **CVE-2026-48558**. If immediate updating is not feasible, a viable mitigation strategy involves restricting technician login sources through IP-based allowlists.  **Horizon3.ai** has also provided indicators of compromise (**IoCs**) to help detect active exploitation. These include the presence of new authenticated technician users with unfamiliar or suspicious names and/or email addresses. Server logs (`/opt/SimpleHelp/logs/server.log` and `/opt/SimpleHelp/logs/<YYYYMMDD-HHMMSS>/server.log`) may also show technician registrations, email addresses, and configuration changes made by rogue accounts. While neither **SimpleHelp** nor **Horizon3.ai** have reported evidence of active exploitation, **SimpleHelp** has a history of attracting significant interest from threat actors. Given this, organizations should prioritize applying the available fixes or mitigations without delay.