threat-wire

SimpleHelp Auth Bypass Exploited to Steal Cloud Credentials

A maximum-severity flaw in the SimpleHelp remote support platform is under active exploitation, letting attackers log in as a technician with no password at all. Once inside, they're deploying two new malware families that raid credentials from cloud accounts, code repositories, and AI coding tools on managed business systems.

By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read

CVSS 10.0. That's the maximum score a vulnerability can get, and CVE-2026-48558 earned it in full.

What's actually broken

SimpleHelp is remote monitoring and management (RMM) software that IT providers use to remote into and manage client machines. Researchers at Horizon3.ai found that servers configured to use OIDC login, whether generic OIDC or Azure AD, never verify the cryptographic signature on the identity token they receive. That means an attacker can forge a token containing whatever identity claims they want and get treated as a brand-new, fully authenticated Technician account. No password required.

Multi-factor authentication doesn't save you here either. Technicians are allowed to self-register their own MFA method the first time they log in, so an attacker who forges their way to a first login just registers MFA for themselves and sails past it.

Attackers are already inside

Blackpoint Cyber reported in late June that an unknown threat actor is exploiting the bug against internet-facing SimpleHelp servers to obtain a Technician session, then using it to push files and run commands across every endpoint that server manages. That access delivered two malware families researchers had not documented before: TaskWeaver and Djinn Stealer.

TaskWeaver arrives disguised as a file named jquery.js and runs through node.exe. Rather than carrying a fixed list of commands, it opens an encrypted channel back to attacker infrastructure and pulls down whatever JavaScript payload the operator wants to run next. The payload it delivered was Djinn Stealer, which targets Windows, macOS, and Linux and goes after credentials for cloud platforms, source control, package registries, AI coding assistants, browsers, SSH keys, and cryptocurrency wallets. On Linux hosts it even reads process memory files that can contain passwords and API keys passed as command-line arguments. Everything it finds gets packed into an encrypted archive and shipped out to attacker servers.

Are you exposed?

  • Check your SimpleHelp server version. Anything at 5.5.15 or earlier, or a 6.0 pre-release build, is vulnerable. 5.5.16 and 6.0 RC2 both fix the flaw.
  • Confirm whether OIDC login (generic or Azure AD) is switched on for your SimpleHelp server. If it isn't, this specific bug doesn't apply to you.
  • Open the SimpleHelp admin console and look for any Technician account you cannot account for, especially one with no matching onboarding record.
  • Check your outbound network logs for connections to a.dev-tunnels[.]com or the IP 96.126.130.126, both named in the Blackpoint Cyber report as attacker infrastructure.

What to do now

Update to SimpleHelp 5.5.16 or 6.0 RC2 immediately, and rotate credentials on anything a Technician account could have touched. CISA has already added CVE-2026-48558 to its Known Exploited Vulnerabilities catalog and given federal agencies until July 2 to patch. That deadline is a reasonable one for any small business running SimpleHelp too, given how much a single technician session can reach.