DECEPTION CHECK
Threat Research · Vulnerability

A Forged Token, a Trusted Technician, an Entire Fleet: CVE-2026-48558

SimpleHelp never checked the signature on its OIDC login tokens. CISA added the flaw to KEV yesterday, and the attackers using it are already shipping new malware families through it. Here is how the bypass works, why it lands hardest on managed service providers and the infrastructure they support, and what to do this week.

Deception Check  |  June 2026  |  CVE-2026-48558  |  CVSS 9.8 to 10.0 Critical  |  CISA KEV added 2026-06-29
The short version CVE-2026-48558 is an authentication bypass in SimpleHelp, a widely deployed remote monitoring and management platform. When a customer turns on OpenID Connect single sign-on, SimpleHelp accepts the identity token but never verifies its cryptographic signature. An unauthenticated attacker forges a token, becomes a fully authenticated Technician, and now has push-button access to every managed endpoint behind that server. Roughly 14,000 SimpleHelp servers are exposed to the public internet, around 7 percent of them in the vulnerable OIDC configuration, and active campaigns are already using the bypass to drop a new info stealer called Djinn Stealer through a Node.js loader called TaskWeaver. CISA added it to the Known Exploited Vulnerabilities catalog on June 29, 2026, with a remediation deadline of July 2.

What the vulnerability is

SimpleHelp is a remote monitoring and management product. IT teams, and especially managed service providers, install a SimpleHelp server, attach their fleet of managed endpoints to it, and use it to remote in, push scripts, transfer files, and run privileged operations on those endpoints from one console. When the server is configured to use OpenID Connect for sign on, the workflow looks normal: the user is redirected to their identity provider, the identity provider issues a signed JSON Web Token, and the server is supposed to verify that signature before trusting the claims inside.

9.8
CVSS, Critical
~14k
internet-exposed servers
Day 0
in the wild on disclosure

That signature check is the one step SimpleHelp skipped. The vulnerable versions, every release up to and including 5.5.15 and all 6.0 release candidates, accept any well formed OIDC identity token at face value. An attacker can craft a token, write whatever they want in the claims, including the group membership that maps to a Technician role, and submit it to the login endpoint. The server returns a real technician session, and from there the attacker can do everything a legitimate technician can do: remote into managed endpoints, execute scripts, transfer files, create more privileged accounts, and persist on the fleet.

Three preconditions have to be true for the bypass to work, and on real SimpleHelp deployments they often are: OpenID Connect is enabled, a TechnicianGroup is associated with an OIDC provider, and "Allow group authenticated logins" is turned on for that TechnicianGroup. Horizon3 reports that around 7.2 percent of the 14,000 public servers they enumerated meet those conditions. That is roughly a thousand internet-facing servers in the vulnerable state, and each of them is a hub to many downstream endpoints.

How the real attack unfolds

Blackpoint Security observed a clean campaign tied to this bug. Attackers identify an OIDC-enabled SimpleHelp server, forge a token that grants Technician access, and then move through the fleet the server controls. The follow-on payload is novel. The attackers stage a Node.js loader the researchers are calling TaskWeaver, which fingerprints the system and pulls down a JavaScript task graph. One of those tasks deploys Djinn Stealer, a previously undocumented cross-platform info stealer that hunts for browser data, SSH key material, cloud and developer tokens, AI tool credentials, and other secrets that let the attacker pivot well beyond the initial SimpleHelp foothold.

The server that lets one operator manage thousands of endpoints is also the server that, in a forged-token scenario, lets one attacker do the same.

This is the second time in eighteen months that SimpleHelp has shown up in a campaign against high value targets. The 2025 CISA advisory AA25-163A described ransomware actors using unpatched SimpleHelp instances (CVE-2024-57726, -57727, -57728) to reach into a utility billing software provider and detonate DragonForce ransomware on downstream customers. The 2026 bug is different and worse: no credentials needed, no path traversal, just a missing signature check on the front door.

Why this hits OT and critical infrastructure

SimpleHelp itself is general-purpose IT software, not industrial gear. The reason it matters for OT and critical infrastructure is that managed service providers, including the ones that service water and wastewater utilities, manufacturing sites, energy operators, and rural healthcare networks, use RMM platforms exactly like this one to reach into their customers' environments. That puts the SimpleHelp server in the same threat model as a domain controller or jump host: compromise it once, and the blast radius is everything it manages.

The 2025 precedent is the clearest illustration. The Royal Mail / billing-provider style of attack chain works the same way here: take the RMM, ride its trusted channel into customer estates, and detonate the payload of choice. With Djinn Stealer that payload is credential harvesting, which is the precursor to whatever the operator wants to do next: ransomware, data theft, or quiet long term access to operational systems.

What we see from our sensors

We run a fleet of honeypots and edge decoys, so we went looking for this activity in our own data. We want to be precise about what we found, and what we did not.

We did not see CVE-2026-48558 itself in our captures. Our decoys are generic SSH, Telnet, SMB, HTTP, and a curated set of industrial protocol and edge-appliance emulations. None of them currently impersonate a SimpleHelp server with OIDC enabled, so an attacker hunting that exact surface would not find it on our sensors.

What we do see, every day, is the perimeter pressure that this campaign assumes. RMM consoles, web admin panels on non-standard ports (8443, 9090, 443 with self-signed certs), JWT-bearing requests to login endpoints, and probes for "/auth/oidc", "/callback", and similar SSO entry points are all visible on our HTTP decoys as part of the normal background internet noise. The Shodan-confirmed exposure of about 14,000 SimpleHelp servers is consistent with how easily that probing finds real targets.

The honest framing We have not caught CVE-2026-48558. We are not going to claim we have. What we can corroborate from our own data is that internet-exposed administrative consoles, OIDC and OAuth endpoints, and the credential and token-grab patterns this campaign feeds on are constantly probed at internet scale. A SimpleHelp-flavored decoy would convert that inference into captured sessions, and is now on our short list.

What to do this week

Fixed releases for CVE-2026-48558
SimpleHelp 5.5.16   or   6.0 RC2   (released 2026-06-09)

Indicators and references

TypeIndicator
AffectedSimpleHelp ≤ 5.5.15 and 6.0 RC1 with OIDC enabled and group-authenticated logins on a Technician group
Fixed5.5.16, 6.0 RC2 (released 2026-06-09)
CISA KEVAdded 2026-06-29, required action due 2026-07-02 under BOD 26-04
Tooling seen on victimsTaskWeaver (Node.js loader), Djinn Stealer (cross-platform info stealer)
Targets of follow-on theftBrowser data, SSH keys, cloud and developer tokens, AI tool credentials
Exposure scale~14,000 internet-facing SimpleHelp servers, ~7.2% in vulnerable OIDC configuration (Horizon3)
An honest caveat Our exploitation account follows Horizon3 and Blackpoint reporting, the SimpleHelp advisory, and the CISA KEV listing. Our first-party contribution here is the perimeter and credential context from our own sensors, not direct capture of this CVE. Standing up a SimpleHelp-flavored decoy with an OIDC login surface would convert that from inference into captured sessions, and it is the next thing we will do on this one.