SimpleHelp RMM flaw could give attackers full access to managed endpoints (CVE-2026-48558)

A critical vulnerability (CVE-2026-48558) in SimpleHelp, a popular remote monitoring and management (RMM) tool, can be exploited remotely by unauthenticated attackers to create a new “Technician” account and use it to remote into managed endpoints, execute scripts, and more.

Maliciously “forged” Technician account (Source: Horizon3.ai)

The vulnerability

CVE-2026-48558 is an authentication bypass flaw affecting SimpleHelp deployments configured to use OpenID Connect (OIDC) authentication.

“Even when the SimpleHelp server is configured to enforce MFA for technicians, this issue allows the attacker to bypass this mechanism because on first login, technicians can self-register their own MFA method,” Horizon3.ai researchers noted.

Fixes for the vulnerability have been included in SimpleHelp v5.5.16 (stable) and (pre-release) v6.0 RC 2, pushed out in late May 2026.

The vendor said at the time that they were not aware of malicious exploitation of this vulnerability, and urged customers to download and install the appropriate update.

CVE-2026-48558 was discovered by Horizon3.ai researchers with the help of an autonomous vulnerability-hunting AI system, and publicly disclosed last Friday.

Potential for exploitation

Horizon3.ai noted that there are several prerequisites for successful exploitation, namely:

• At least one OIDC authentication provider is configured on the SimpleHelp server
• A TechnicianGroup is associated with the OIDC provider
• The “Allow group authenticated logins” setting is enabled on the TechnicianGroup.

The second of those is expected to be present in any deployment using OIDC authentication, they added, and they found that the latter had been enabled by the clients they assessed.

SimpleHelp noted that an attacker must be able to connect to a server to exploit the vulnerability. “Servers accessible only from local networks or recognised and trusted IP ranges are at much lower risk of exploitation,” they pointed out.

Also, “to log in as a Technician the attacker must be connecting from an IP address permitted by Technician login IP restrictions.”

Horizon3.ai researchers say that the number of SimpleHelp servers exposed on the internet currently reaches nearly 14,000. “A random sampling of these servers indicated that roughly 7.2% of them were configured to use the vulnerable OIDC authentication method,” they added.

Why this matters

SimpleHelp is often used by organizations’ IT help desk and is popular with managed services providers (MSPs).

The three SimpleHelp server vulnerabilities Horizon3.ai reported and disclosed in January 2025 have since been exploited by ransomware attackers.

While the researchers refrained from publishing technical details about CVE-2026-48558, savvy attackers may have enough information to know what to look for and create a working exploit.

SimpleHelp advises admins and security teams to look for evidence of unexpected Technician account creation, logins, sessions, tool runs, especially from unrecognized IP addresses. Evidence of those may be found in the server logs and the Administration settings (under Technicians).

Customers who run an affected SimpleHelp version but cannot immediately upgrade to a fixed version should disconnect their SimpleHelp server from the network (if possible) and make it inaccessible from the internet until they can perform the upgrade.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!