Critical Authentication Bypass in SimpleHelp (CVE-2026-48558)
Executive Summary
On June 12th, a critical vulnerability in SimpleHelp RMM was disclosed by Zach Hanley on behalf of offensive security firm Horizon3.ai. Tracked as CVE-2026-48558, the flaw lets an unauthenticated, remote attacker create and access privileged “Technician” accounts on Simplehelp servers configured to use OpenID Connect (OIDC) authentication.
SimpleHelp is commonly used for remote support, remote access, and monitoring within enterprise environments. Technician accounts within the SimpleHelp RMM solution are highly privileged, and by default can remote into managed endpoints, execute scripts, and perform other privileged actions. SimpleHelp has released fixes for the underlying vulnerability, which can be found below.
Given the administrative access typically granted to SimpleHelp RMM deployments and broad reach they provide within enterprise environments, as well as their history of being targeted by initial access brokers and ransomware operators, Beazley Security recommends affected organizations apply available fixes immediately and conduct a thorough review for any signs of compromise.
Affected Systems and Products
Mitigations / Workarounds
Given the vendor-released patches, we advise customers running vulnerable software upgrade to non-vulnerable versions of SimpleHelp. If affected administrators are unable to immediately apply fixes, disabling OIDC may temporarily help to reduce risk. However, doing so will limit login availability to local accounts. Disabling OIDC in SimpleHelp can be performed by logging into the SimpleHelp service with a local administrator account and performing the steps below:
- Navigate into each Technician Group that uses OIDC.
- Switch to the Authentication tab.
- Disable or switch the group's authentication back to local/password authentication.
Patches
Official security fixes have been made available by SimpleHelp and can be accessed via their Upgrade Guide here.
Indicators of Compromise
Active exploitation of this vulnerability has not been confirmed as of publication of this advisory. However, given prior targeting of SimpleHelp by prolific threat actors in previous campaigns, public disclosure of technical details may accelerate exploitation attempts in the upcoming days.
To log in as a Technician, an attacker must connect from an IP address permitted by Technician login IP restrictions. If IP restrictions were not previously configured, logins from unexpected geolocations or ASNs are indicative of a compromised host. Defenders can watch for the following signs of compromise:
- New or unexpected Technician accounts
- Unexpected Technician account logins, sessions, or tool runs initiated from unrecognized IP addresses
- Unexpected configuration changes performed by recently created accounts
You can access these logs from the SimpleHelp portal via Administration > Server Log > Access to review, as well as Administration > History, which records historical authenticated sessions.
We can therefore assume that POST requests to the /technician path, or an OAuth callback URL that originates from IPs that are not your configured IdP, are indicative of bypass attempts. Searching for Configuration save requested in the configuration/serverconfig.xml path can identify instances of these requests.
Technical Details
At the time of writing, SimpleHelp and the disclosing researchers have provided limited technical details regarding the vulnerability, and no public proof-of-concept exploits are known to be available. CVE-2026-48558 is an authentication bypass vulnerability affecting SimpleHelp deployments that are configured to use OpenID Connect (OIDC).
The vulnerability stems from a flaw within SimpleHelp’s OIDC authentication workflow that allows an attacker to submit forged tokens with arbitrary claims to bypass authentication. When OIDC authentication is enabled, the flaw allows an unauthenticated attacker to create and log in as a new Technician user even if MFA is enabled.
SimpleHelp is widely used by IT support desks and managed service providers, which makes a compromised server a potential pivot into many downstream client environments. Given prior targeting by well-known ransomware operators, Beazley Security recommends affected organizations patch immediately.
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
Sources
Vous êtes au courant d'un incident qui a un impact sur votre secteur d'activité ? Faites-nous savoir :