Blog Details

A vulnerability in the SimpleHelp faraway administration utility enables unauthenticated attackers to invent privileged technician accounts on servers the use of the OpenID Connect (OIDC) authentication protocol.

The flaw is tracked as CVE-2026-48558 and got a extreme severity ranking. It impacts SimpleHelp variations 5.5.15 and older, as properly as 6.0 pre-open variations.

Researchers at offensive security company Horizon3.ai expose that the problem is induced by how identification assertions got from an OIDC identification provider (IdP) are validated.

When OIDC authentication is enabled, an unauthenticated attacker can invent and log in as a brand unique Technician user with out desiring to battle thru the multi-ingredient authentication (MFA) course of.

“This Technician, by default, can perform privileged management activities such as remoting into managed endpoints, executing scripts, and more,” Horizon3.ai researcher Zach Hanley explains.

SimpleHelp mounted the vulnerability on June 9 by releasing variations 5.5.16 and 6.0RC2 of the product.

Impact scope

CVE-2026-48558 does no longer impression every SimpleHelp server running a inclined model; barely, it affects a subset that depends on the OIDC protocol, whether or no longer the generic one or Azure AD OIDC, each of them overall in extensive enterprises.

Because the researchers expose, there are a lot of prerequisites for the exploit to work:

• OIDC authentication must be enabled
• no no longer up to 1 Technician Crew must be associated with the OIDC provider
• the community will have to get “Allow community authenticated logins” enabled.

Outcomes from Shodan demonstrate about 14,000 SimpleHelp servers uncovered to the public web.

Prognosis of a random sample suggests that roughly 7.2% are configured to use OIDC authentication.

Additionally, Horizon3.ai stumbled on that the “Allow community authenticated logins” is enabled in a lot of instances.

Organizations can defend in opposition to assaults leveraging the CVE-2026-48558 vulnerability by updating to basically the most up-to-date SimpleHelp releases that take care of the problem.

If updating is inconceivable, one mitigation is to limit technician login sources the use of IP-basically based totally allowlists.

The researchers also shared indicators of compromise that could perhaps support detect active exploitation, reminiscent of unique authenticated technician customers with unknown or suspicious names and/or email addresses.

Additionally, the logs in ‘/decide/SimpleHelp/logs/server.log’ and ‘/decide/SimpleHelp/logs//server.log’ could perhaps perhaps get technician registrations, email addresses, and configuration adjustments carried out by rogue accounts.

Neither SimpleHelp nor Horizon3.ai has reported proof of active exploitation.

On the opposite hand, given the product’s history of attracting critical possibility actor passion, organizations are told to prepare the available in the market fixes or mitigations steady now.