CVE-2026-48558 · High · CISA KEV

SimpleHelp OIDC Auth Bypass: Forged Tokens Grant Full Technician Access

Threat Engine Auto-Feed · data current as of 2026-06-29

A critical authentication bypass in SimpleHelp's OIDC flow allows unauthenticated attackers to forge identity tokens and gain full technician session access. This vulnerability, listed in CISA KEV, is actively exploited in the wild and can bypass multi-factor authentication in certain configurations. Organizations using SimpleHelp with OIDC enabled are at high risk.

  • CVSS:
  • EPSS percentile: 0.49308
  • Exploitation pressure: 55/100 (High)

Exploitation reality: listed in CISA KEV (exploited in the wild) · EPSS 49th percentile. Threat × Vulnerability from public signals — impact depends on your environment.

Weakness —

This vulnerability is an authentication bypass. It occurs because the software fails to properly verify the cryptographic signature of identity tokens submitted during the OIDC login process. This allows an attacker to create a fake token with arbitrary user information and be authenticated as a legitimate user, bypassing security checks.

Who's at risk

Exposure: unknown · Auth: unknown · unknown

Enterprise profiles most at risk

  • Organizations using SimpleHelp for remote support or IT management
  • Enterprises with OIDC authentication configured for SimpleHelp
  • Financial services and Technology sectors (due to assessed adversary targeting)

Misconfigurations that escalate it

  • SimpleHelp instances with OIDC authentication enabled without proper signature verification enforcement
  • Configurations where forged tokens grant high-privilege technician sessions
  • Configurations where multi-factor authentication is bypassed by this flaw

High-impact scenarios

  • An unauthenticated attacker gaining full administrative control over SimpleHelp, leading to potential access to managed systems or data
  • Bypass of multi-factor authentication, negating an important security layer
  • Unauthorized remote access to endpoints managed by SimpleHelp, enabling further network penetration or data exfiltration

Likely adversaries

  • FIN7 — Financial services (Assessed)
  • LockBit affiliates — Financial services (Assessed)
  • APT38 (Lazarus) — Financial services (Assessed)
  • APT29 (Cozy Bear) — Technology (Assessed)
  • Scattered Spider — Technology (Assessed)

What to do (defensive)

Detect

  • Monitor SimpleHelp authentication logs for unusual login patterns or sessions from unknown sources, especially for technician accounts
  • Review OIDC configurations within SimpleHelp to ensure signature verification is correctly implemented and enforced
  • Look for any unauthorized changes to SimpleHelp configurations or unexpected remote access sessions

Contain

  • Isolate SimpleHelp instances from the broader network if compromise is suspected
  • Temporarily disable OIDC authentication in SimpleHelp if immediate patching is not feasible, reverting to other authentication methods if available and secure
  • Force password resets for all SimpleHelp technician accounts after patching to invalidate any potentially compromised sessions

Patch

  • Apply the latest security patches from SimpleHelp that address CVE-2026-48558 immediately
  • Verify that OIDC authentication is correctly configured post-patch to enforce cryptographic signature validation

Frontier verdict — High

This is a critical vulnerability with confirmed in-the-wild exploitation (CISA KEV) allowing full authentication bypass, demanding immediate patching and configuration review.

For detection-engineering and awareness only · point-in-time · not security advice · sourced from NVD, FIRST EPSS, CISA KEV. Adversary mappings are assessments unless cited.