Source linked

SimpleHelp OIDC Flaw Lets Any Attacker Create Admin Remote Accounts

bleepingcomputer.com@threat_watch2 hours ago·Cybersecurity·2 comments

CVE-2026-48558 bypasses authentication and MFA on SimpleHelp servers using OIDC, affecting roughly 1,000 internet-exposed instances.

simplehelphorizon3 aicve 2026 48558remote management softwareauthentication bypassoidc

An unauthenticated attacker can forge OIDC identity assertions to create a privileged Technician account on SimpleHelp servers - no credentials, no MFA required. CVE-2026-48558 carries a critical severity rating and affects SimpleHelp versions 5.5.15 and older, plus all 6.0 pre-release builds.

OIDC Validation Hole Gives Full Remote Control

The bug lives in how SimpleHelp validates identity assertions from an OpenID Connect provider. Researchers at Horizon3.ai (Zach Hanley) found that when OIDC authentication is enabled, an attacker can craft a malicious assertion that registers a new Technician user. That new account lands with default privileges: remote into managed endpoints, execute scripts, and perform any privileged management action. The exploit sidesteps multi-factor authentication entirely.

Three prerequisites must align: OIDC authentication must be enabled, at least one Technician Group must be associated with the OIDC provider, and that group must have "Allow group authenticated logins" turned on. Horizon3.ai noted the latter is enabled in many configurations they sampled.

~1,000 Exposed Servers Are Sitting Ducks

Shodan scans reveal roughly 14,000 SimpleHelp servers reachable from the public internet. Horizon3.ai analyzed a random sample and found 7.2% use OIDC authentication. That translates to about 1,000 servers where the attack path is viable. SimpleHelp fixed the flaw on June 9 with versions 5.5.16 and 6.0RC2.

Drop-In Detection and Mitigation

No active exploitation has been reported, but SimpleHelp has a track record of attracting threat actors. Organizations should update immediately. If patching is impossible, restrict technician login sources with IP-based allowlists. The researchers shared specific indicators of compromise: look for new authenticated technician users with suspicious names or email addresses. Check logs in /opt/SimpleHelp/logs/server.log and /opt/SimpleHelp/logs/server.log for unexpected technician registrations, email addresses, and configuration changes by rogue accounts.

Treat this like a zero-day even though it's patched - the exploit mechanics are public, and the attack surface is measurable.

Source: SimpleHelp bug lets hackers create rogue remote support accounts
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
That LinkedIn Job Offer Was a Backdoor Disguised as a Code Review

Roman Imankulov's read-only AI agent caught a backdoor in a GitHub repo before npm install could execute it. The recruiter and commit author were both impersonated.

AMD Quietly Kills Memory Encryption on Consumer Ryzen Chips

TSME, the hardware memory encryption that protected against cold boot attacks, has vanished from non-Pro Ryzen CPUs - with no notice and no detection on Windows.

1.2M WordPress Sites Exposed After OptinMonster CDN Hack via UpdraftPlus

Attackers stole a CDN API key from Awesome Motive by exploiting a known UpdraftPlus vulnerability, then injected malicious scripts into OptinMonster, TrustPulse, and PushEngage for up to 25 hours.

Chinese Spies Hid in Medical REDCap Servers for 18 Months via Custom Malware

Google's Threat Intelligence Group found UNC6508 used InfiniteRed to steal Gmail messages about drones and Chikungunya from North American medical and military networks.

Comments load interactively on the live page.