SimpleHelp RMM unauthenticated OIDC auth bypass (CVSS 9.5)

cve · CVE-2026-48558

Coverage timeline

first 2026-06-13 → last 2026-06-13

Briefs

1 distinct

Sources cited

7 hosts

Sections touched

trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-06-13CTI Daily Brief — 2026-06-13
trending_vulnsFirst coverage. Forged unsigned OIDC token -> full Technician session, bypasses IdP MFA, no user interaction. <=5.5.15 affected; fixed 5.5.16/6.0 GA. Horizon3 PoC+IOCs. MSP initial-access vector.

Where this entity is cited

trending_vulns1

Source distribution

nvd.nist.gov3 (30%)
horizon3.ai2 (20%)
simple-help.com1 (10%)
cloud.google.com1 (10%)
helpnetsecurity.com1 (10%)
securityboulevard.com1 (10%)
windowsforum.com1 (10%)

Related entities

Check Point: TDS-gated ecosystem impersonating Ghidra/dnSpy/ILSpy delivers SessionGate, RemusStealer, AnimateClipper
campaigncampaign:tds-security-tool-impersonation-checkpoint×1
ShinyHunters — financially motivated data-theft group
actoractor:ShinyHunters×1

External references

NVD · cve.org · CISA KEV

All cited sources (10)

Items in briefs about SimpleHelp RMM unauthenticated OIDC auth bypass (CVSS 9.5) (1)

CVE-2026-48558 — SimpleHelp RMM: unauthenticated OIDC authentication bypass yields a full technician session

From CTI Daily Brief — 2026-06-13 · published 2026-06-13 · view item permalink →

SimpleHelp, a self-hosted remote-support/RMM platform common in European MSP estates, fails to verify the cryptographic signature of OIDC identity tokens presented at login when OIDC authentication is enabled (Horizon3.ai, 2026-06-12). A remote, unauthenticated attacker who submits a forged, unsigned token carrying arbitrary identity claims obtains a fully authenticated Technician session with no user interaction; because signature verification is skipped entirely, any MFA enforced at the identity provider is also bypassed. SimpleHelp patched it in versions 5.5.16 and the 6.0 RC2 prerelease (Security Notice 2026-05); servers running 5.5.15 and earlier are affected (SimpleHelp, 2026-06-12). Horizon3 published detection IOCs for post-exploitation in MSP environments; neither the vendor notice nor the Horizon3 disclosure states a CVSS score at the time of writing. Maps to T1190 (Exploit Public-Facing Application) and T1078.004 (Valid Accounts). Technician access to an RMM server is a stepping stone into every downstream client estate, which is why MSP-tooling auth bypasses are a recurring initial-access vector. Detection: review SimpleHelp access logs for successful Technician authentications preceded by malformed/no-signature OIDC token exchanges and for new Technician sessions from unfamiliar source ranges. Hardening: patch immediately; until then disable OIDC and require SAML or local auth with MFA, and network-restrict the web interface.

CVE Summary Table

CVE	Product	CVSS	EPSS	KEV	Exploited	Patch	Source
CVE-2026-48558	SimpleHelp RMM (OIDC auth)	n/a	n/a	No	No (research PoC)	5.5.16 / 6.0 RC2	Horizon3.ai
CVE-2026-35273	Oracle PeopleSoft PeopleTools (PSEMHUB)	9.8	n/a	Yes (2026-06-12)	Yes (UNC6240, 27 May)	OOB patch 2026-06-10 (8.61/8.62)	Mandiant/GTIG

(CVE-2026-35273 carried as § 4 UPDATE; included here for the gate-clearing exploitation picture. CVEs that did not clear a § 2 inclusion gate — GitLab CVE-2026-6552 and the Check Point LangGraph chain — are noted in § 3 / § 7.)