A vulnerability in the SimpleHelp remote management software allows unauthenticated attackers to create privileged technician accounts on servers using the OpenID Connect (OIDC) authentication protocol.
The flaw is tracked as CVE-2026-48558 and received a critical severity rating. It impacts SimpleHelp versions 5.5.15 and older, as well as 6.0 pre-release versions.
Researchers at offensive security company Horizon3.ai explain that the issue is caused by how identity assertions received from an OIDC identity provider (IdP) are validated.
When OIDC authentication is enabled, an unauthenticated attacker can create and log in as a new Technician user without needing to go through the multi-factor authentication (MFA) process.
"This Technician, by default, can perform privileged management activities such as remoting into managed endpoints, executing scripts, and more," Horizon3.ai researcher Zach Hanley explains.
CVE-2026-48558 does not impact every SimpleHelp server running a vulnerable version; rather, it affects a subset that relies on the OIDC protocol, whether the generic one or Azure AD OIDC, both of them common in large enterprises.
As the researchers explain, there are several prerequisites for the exploit to work:
OIDC authentication must be enabled
at least one Technician Group must be associated with the OIDC provider
the group must have “Allow group authenticated logins” enabled.
Results from Shodan show about 14,000 SimpleHelp servers exposed to the public internet.
Analysis of a random sample suggests that roughly 7.2% are configured to use OIDC authentication.
Additionally, Horizon3.ai found that the “Allow group authenticated logins” is enabled in many cases.
Organizations can defend against attacks leveraging the CVE-2026-48558 vulnerability by updating to the latest SimpleHelp releases that address the issue.
If updating is impossible, one mitigation is to restrict technician login sources using IP-based allowlists.
Rogue Technician account on SimpleHelp Source: Horizon3.ai
The researchers also shared indicators of compromise that can help detect active exploitation, such as new authenticated technician users with unknown or suspicious names and/or email addresses.
Additionally, the logs in ‘/opt/SimpleHelp/logs/server.log’ and ‘/opt/SimpleHelp/logs/<YYYYMMDD-HHMMSS>/server.log’ may contain technician registrations, email addresses, and configuration changes performed by rogue accounts.
Neither SimpleHelp nor Horizon3.ai has reported evidence of active exploitation.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>
