CVE-2026-48558
CRITICAL · 10.0 KEV EPSS 0.7%KEV-listed, in-the-wild malware deployment observed, multiple credible sources.
What: SimpleHelp ≤5.5.15 and 6.0 pre-release contain unauthenticated OIDC signature-bypass; attackers forge identity tokens to hijack technician sessions (CVSS 10.0, EPSS 0.49%).
Why it matters: KEV-listed 2026-06-29 with July 2 deadline. Social chatter confirms in-the-wild exploitation deploying TaskWeaver C2 and Djinn Stealer malware. RMM tool compromise enables lateral movement and persistence across managed endpoints.
Where it's seen: Threat intel briefs, security news sites, and researcher posts citing active attacks with post-exploitation payloads. Multiple language coverage signals broad awareness and active defender response.
RISK: CRITICAL — Unauthenticated RCE equivalent via session hijack; confirmed wild exploitation; KEV-listed.
Description
SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. No user interaction is required.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- High