CVE-2026-48558: SimpleHelp RMM Authentication Bypass — Unsigned OIDC Tokens Enable Unauthenticated Technician Access, MSP Supply Chain Attack (CISA KEV, CVSS 10.0)

nick

CVE-2026-48558: SimpleHelp RMM Authentication Bypass — Unsigned OIDC Tokens Enable Unauthenticated Technician Access, MSP Supply Chain Attack (CISA KEV, CVSS 10.0)

by

CISA Known Exploited Vulnerability (KEV): Added to the CISA KEV Catalog on June 29, 2026. Action due July 2, 2026. BOD 26-04 3-day mandate applies. TaskWeaver loader malware deployed through compromised instances.

What Is the Vulnerability

CVE-2026-48558 is a critical authentication bypass vulnerability in SimpleHelp Remote Monitoring and Management (RMM) software. When OpenID Connect (OIDC) is configured for authentication, SimpleHelp accepts OIDC tokens without performing signature verification. An unauthenticated remote attacker can forge a valid-looking OIDC token, create a Technician account with administrative privileges, and gain full access to all managed endpoints.

The severity of this vulnerability is compounded by SimpleHelp’s role in the Managed Service Provider (MSP) ecosystem. MSPs use SimpleHelp to manage thousands of client systems. A single compromised SimpleHelp instance cascades into a supply chain attack, giving the attacker administrative access to every endpoint under management.

CVSS Score: 10.0 (Critical)

Versions Affected

  • SimpleHelp RMM versions 5.5.15 and below
  • SimpleHelp 6.0 pre-release versions

Only instances with OIDC authentication configured are vulnerable. However, organizations using OIDC-based SSO are specifically targeted.

Exploited?

Yes. Horizon3.ai has published Indicators of Compromise (IoCs) confirming that attackers are actively exploiting this vulnerability in the wild. The TaskWeaver loader malware has been confirmed deployed through compromised SimpleHelp instances, establishing persistence on managed endpoints. The exploit chain is: forged OIDC token → Technician account creation → administrative access → TaskWeaver deployment across all managed endpoints.

CISA added CVE-2026-48558 to the Known Exploited Vulnerabilities catalog on June 29, 2026, with a remediation deadline of July 2, 2026 under BOD 26-04.

Fix

  • Upgrade SimpleHelp immediately to the patched version (released June 5, 2026)
  • If OIDC is not required, disable it as an authentication method
  • Audit all Technician accounts for unauthorized additions
  • Check all managed endpoints for indicators of TaskWeaver malware
  • Rotate all SimpleHelp credentials and API keys

Recommendations

  • Apply the SimpleHelp patch within the CISA 3-day mandate (by July 2, 2026)
  • Implement network segmentation for RMM infrastructure
  • Enable comprehensive logging on SimpleHelp servers and review for anomalous Technician account creation
  • Notify downstream clients if you are an MSP using SimpleHelp
  • Run the Horizon3.ai IoC scanner across all managed endpoints

References

Part of the Vulnerability Intelligence series. See the June 30, 2026 VIR.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!