🚨 CRITICAL ALERT: Active Zero-Day Exploits
CVE-2026-48558 is a CVSS 10.0 authentication bypass vulnerability in SimpleHelp that allows remote, unauthenticated attackers to forge OIDC identity tokens, bypass MFA, and obtain fully authenticated Technician sessions—enabling full access to managed endpoints, remote control, script execution, and lateral movement across enterprise networks. Evidence confirms active exploitation in the wild to deploy the Djinn Stealer infostealer targeting Windows, macOS, and Linux. Approximately 1,000 servers are directly exposed, with vulnerable OIDC configurations increasingly common as exposed SimpleHelp instances have grown from 3,400 to nearly 14,000 since early 2025[1][2][3][5].
Critical Vulnerabilities (CVSS >= 8.0)
- CVE-2026-48558 (CVSS: 10.0): Authentication bypass in SimpleHelp’s OIDC flow. Identity tokens are accepted without cryptographic signature verification, allowing forged tokens with arbitrary claims to create privileged Technician accounts. No user interaction required. MFA bypass possible in some deployments. Affected versions: 5.5.15 and prior, plus all 6.0 pre-release builds[1][2][3][4]. View NVD | CISA KEV
⚡ Immediate Actions Required
1. PATCH NOW: Upgrade immediately to SimpleHelp 5.5.16 (stable) or 6.0RC2 (pre-release), which correctly verify OIDC token signatures, issuer, audience, and expiration[1][2][3][6].
2. DISABLE OIDC if patching is delayed: Temporarily disable OpenID Connect authentication and revert to local authentication with strong passwords and enforced MFA[3][5].
3. NETWORK ISOLATION: Isolate the SimpleHelp server from the internet or restrict administrative access to IP allowlists via `Administration → Login Security` until patched[1][5][6].
4. AUDIT LOGS: Check server logs and Administration settings for suspicious Technician account creation, unauthorized logins, sessions, or tool runs—especially from unknown IPs[1][2][6].
5. FIREWALL RULES: Enforce inbound firewall rules limiting access to the SimpleHelp web interface to known administrator IP ranges[1][3].
6. MONITOR FOR Djinn Stealer: Scan endpoints for indicators of the Djinn Stealer infostealer, which is actively being deployed via this exploit[1][2].
This is a confirmed active zero-day threat with CVSS 10.0 and no user interaction required. Delay equals compromise.[1][2][3][5][6]