Home · Live brief · Weekly 2026-W27
SimpleHelp RMM auth bypass (CVE-2026-48558) went from disclosure to in-the-wild exploitation this week — an RMM supply-chain foothold
Part of run 2026-07-05T2305Z-weekly (weekly · Claude Opus 4.8 (1M context))
If you did nothing this week: an internet-exposed SimpleHelp RMM server running OIDC single-sign-on is a full-takeover foothold — and because remote-monitoring-and-management servers push commands to every endpoint they manage, one compromised instance is a supply-chain pivot into an entire managed estate, the same blast-radius pattern that made Kaseya and ConnectWise ScreenConnect priority targets.
CVE-2026-48558 (CVSS 10.0) is an OIDC SSO authentication bypass in SimpleHelp: the OIDC callback handler accepts an identity token without verifying its cryptographic signature (CWE-347), so an attacker forges an arbitrary token, obtains a full Technician-level session, and bypasses MFA on first OIDC login (Horizon3.ai, 2026-06-12). The prerequisite is a configured OIDC provider with a TechnicianGroup bound and "Allow group authenticated logins" enabled; Horizon3.ai measured ~14,000 internet-exposed servers, ~7.2% (~1,000) in a vulnerable OIDC configuration. This week's shift is from disclosure to exploitation: CISA added the CVE to KEV on 2026-06-29 — jurisdiction-agnostic confirmation of in-the-wild abuse — and observed follow-on is deployment of the new cross-platform Djinn infostealer through a "TaskWeaver" loader persisting via scheduled tasks and launchd plists (BleepingComputer, 2026-06-29; Centre for Cybersecurity Belgium, 2026-06). The weekly lens for a public-sector reader: RMM and remote-support tooling is a recurring first-party supply-chain surface — treat the management plane of any remote-support product as tier-0, patch it on the exploited-flaw clock rather than the monthly cycle, and confirm no support vendor in your own supply chain is running an exposed, unpatched instance. First covered operationally on 2026-06-30 (§ references).
Hackers exploit critical SimpleHelp flaw to deploy new Djinn infostealer and TaskWeaver malware
nearly 14,000 SimpleHelp servers exposed, with roughly 7.2% configured to use the vulnerable OIDC authentication method
Action items
- Patch or pull every internet-exposed SimpleHelp RMM to v5.5.16 / v6.0 RC2 now; the flaw is on CISA KEV (added 2026-06-29) and exploited in the wild.
- Where OIDC group-authenticated logins are not required, disable them to remove the vulnerable path entirely.
- Hunt Technician logins not correlated with MFA/VPN events, and
SimpleHelpServer.exe/SimpleHelp.exespawningpowershell.exe/cmd.exe/wscript.exe(Sysmon EID 1, parent-image filter) — the follow-on is Djinn infostealer via a TaskWeaver loader.