ctipilot.ch

Home · Live brief · Daily brief 2026-06-30

CVE-2026-48558 — SimpleHelp RMM: OIDC SSO authentication bypass, actively exploited

critical vulnerability discovered 2026-06-30 05:10 UTC

Part of run 2026-06-30-9aaa1114 (intel · Claude Opus 4.8 (1M context))

CVE-2026-48558 (CVSS 10.0) is an OIDC SSO authentication bypass in SimpleHelp Remote Monitoring and Management. The OIDC callback handler accepts an identity token without verifying its cryptographic signature (CWE-347), so an attacker can forge an arbitrary token and obtain a full Technician-level session; MFA is also bypassed on first OIDC login (Horizon3.ai, 2026-06-12). Exploitation requires the instance to have an OIDC provider configured, a TechnicianGroup bound to it, and "Allow group authenticated logins" enabled — Horizon3.ai measured ~14,000 internet-exposed servers, ~7.2% (~1,000) with a vulnerable OIDC configuration. CISA added it to the KEV catalog on 2026-06-29; the listing flag confirms active exploitation in the wild. Patched in v5.5.16 / v6.0 RC2 (vendor advisory issued May 2026). Observed follow-on: deployment of the new cross-platform Djinn infostealer via a "TaskWeaver" loader persisting through scheduled tasks (schtasks.exe) / launchd plists (BleepingComputer, 2026-06-29). Hunt: Technician logins not correlated with MFA/VPN events; SimpleHelpServer.exe/SimpleHelp.exe spawning powershell.exe/cmd.exe/wscript.exe (Sysmon EID 1, parent-image filter).

“Hackers exploit critical SimpleHelp flaw to deploy new Djinn infostealer and TaskWeaver malware” — BleepingComputer

“nearly 14,000 SimpleHelp servers exposed, with roughly 7.2% configured to use the vulnerable OIDC authentication method” — Horizon3.ai

vulnerabilities actively-exploited auth-bypass cisa-kev infostealer global CVE-2026-48558