SimpleHelp Bug Lets Hackers Create Rogue Remote Support Accounts
A critical vulnerability in SimpleHelp remote management software allows unauthenticated attackers to create privileged technician accounts via OIDC authentication, granting persistent remote access.
A critical vulnerability in SimpleHelp remote management software allows unauthenticated attackers to create privileged technician accounts on servers using the OpenID Connect (OIDC) authentication protocol. The flaw, tracked as CVE-2026-48558, received a critical severity rating and impacts SimpleHelp versions 5.5.15 and older, as well as 6.0 pre-release versions.
Researchers at offensive security company Horizon3.ai discovered that the issue stems from improper validation of identity assertions received from an OIDC identity provider (IdP). When OIDC authentication is enabled, an unauthenticated attacker can create and log in as a new Technician user without needing to go through multi-factor authentication (MFA). "This Technician, by default, can perform privileged management activities such as remoting into managed endpoints, executing scripts, and more," explained Horizon3.ai researcher Zach Hanley.
The vulnerability does not affect every SimpleHelp server running a vulnerable version; it only impacts a subset that relies on the OIDC protocol, whether the generic one or Azure AD OIDC, both common in large enterprises. For the exploit to work, OIDC authentication must be enabled, at least one Technician Group must be associated with the OIDC provider, and the group must have "Allow group authenticated logins" enabled. Results from Shodan show about 14,000 SimpleHelp servers exposed to the public internet, with analysis of a random sample suggesting that roughly 7.2% are configured to use OIDC authentication. Additionally, Horizon3.ai found that the "Allow group authenticated logins" is enabled in many cases.
SimpleHelp fixed the vulnerability on June 9 by releasing versions 5.5.16 and 6.0RC2 of the product. Organizations can defend against attacks leveraging CVE-2026-48558 by updating to the latest SimpleHelp releases. If updating is impossible, one mitigation is to restrict technician login sources using IP-based allowlists. The researchers also shared indicators of compromise that can help detect active exploitation, such as new authenticated technician users with unknown or suspicious names and/or email addresses. Additionally, the logs in '/opt/SimpleHelp/logs/server.log' and '/opt/SimpleHelp/logs/<YYYYMMDD-HHMMSS>/server.log' may contain technician registrations, email addresses, and configuration changes performed by rogue accounts.
Neither SimpleHelp nor Horizon3.ai has reported evidence of active exploitation. However, given the product's history of attracting significant threat actor interest, organizations are advised to apply the available fixes or mitigations without delay. The vulnerability highlights the risks associated with misconfigured OIDC implementations in remote management tools, which can provide attackers with a direct path to persistent access across an enterprise network.
New data from Horizon3.ai reveals that nearly 14,000 SimpleHelp servers are now internet-facing, up from roughly 3,400 in early 2025, with approximately 7.2% vulnerable to CVE-2026-48558. The researchers also published indicators of compromise, advising administrators to audit technician accounts for unfamiliar names or email addresses and to inspect server logs in /opt/SimpleHelp/logs/ for signs of unauthorized registrations. SimpleHelp released a patch on June 9, 2026, and recommends IP-based login restrictions as a temporary mitigation.