• Category: Security
  • Status: confirmed
  • Sources: SimpleHelp advisory, CISA KEV, NVD, Horizon3.ai IOCs
  • Summary: CISA added CVE-2026-48558 to the Known Exploited Vulnerabilities catalog on 2026-06-29 (catalog version 2026.06.29, count 1630), marking confirmed exploitation. The flaw (CWE-347) is an OIDC authentication bypass in SimpleHelp remote support software: when OIDC login is configured, identity tokens are accepted without verifying their cryptographic signature, so a remote unauthenticated attacker can forge a token with arbitrary identity claims to obtain a fully authenticated technician session, in some configurations bypassing MFA. A technician account can remote into managed endpoints and run scripts. Affected versions are up to and including 5.5.15 and all 6.0 pre-release builds; fixes shipped in 5.5.16 and 6.0 RC 2 in late May 2026. Reporting counts roughly 14,000 internet-exposed SimpleHelp servers, about 7.2 percent on the vulnerable OIDC configuration. The federal remediation due date is 2026-07-02.
  • Why it matters: SimpleHelp is remote-monitoring-and-management software, so an authentication bypass gives attacker-controlled administrative reach into every endpoint a server manages, a high-value foothold for ransomware operators.
  • Follow-up: Watch for confirmed ransomware campaigns using this vector and patch-adoption telemetry against the 2026-07-02 deadline.

Send feedback on this story