CVE-2026-48558 — SimpleHelp RMM: OIDC SSO authentication bypass, actively exploited

CVE-2026-48558 (CVSS 10.0) is an OIDC SSO authentication bypass in SimpleHelp Remote Monitoring and Management. The OIDC callback handler accepts an identity token without verifying its cryptographic signature (CWE-347), so an attacker can forge an arbitrary token and obtain a full Technician-level session; MFA is also bypassed on first OIDC login (Horizon3.ai, 2026-06-12). Exploitation requires the instance to have an OIDC provider configured, a TechnicianGroup bound to it, and "Allow group authenticated logins" enabled — Horizon3.ai measured ~14,000 internet-exposed servers, ~7.2% (~1,000) with a vulnerable OIDC configuration. CISA added it to the KEV catalog on 2026-06-29; the listing flag confirms active exploitation in the wild. Patched in v5.5.16 / v6.0 RC2 (vendor advisory issued May 2026). Observed follow-on: deployment of the new cross-platform Djinn infostealer via a "TaskWeaver" loader persisting through scheduled tasks (schtasks.exe) / launchd plists (BleepingComputer, 2026-06-29). Hunt: Technician logins not correlated with MFA/VPN events; SimpleHelpServer.exe/SimpleHelp.exe spawning powershell.exe/cmd.exe/wscript.exe (Sysmon EID 1, parent-image filter).