U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog
U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog
Publish Date: 2026-06-30 15:51:00
Source Domain: securityaffairs.com
U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog
Pierluigi Paganini
June 30, 2026
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a SimpleHelp flaw to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a SimpleHelp flaw, tracked as CVE-2026-48558 (CVSS score v3.1 of 10.0), to its Known Exploited Vulnerabilities (KEV) catalog.
CVE-2026-48558 is a critical authentication bypass vulnerability in SimpleHelp versions 5.5.15 and earlier and 6.0 pre-release versions. When OIDC authentication is enabled, the software fails to verify the cryptographic signature of identity tokens, allowing a remote, unauthenticated attacker to forge a token and gain a fully authenticated technician session. In some configurations, the flaw can also bypass multi-factor authentication (MFA), with no user interaction required.
The researcher Zach Hanley (@hacks_zach) of Horizon3.ai discovered the vulnerability with the help of generative AI.
SimpleHelp is a remote support and remote access platform that organizations use to provide technical assistance, manage endpoints, and access computers over the internet. It is commonly deployed by IT departments, managed service providers (MSPs), and help desks to troubleshoot devices, transfer files, run remote commands, and perform system administration without being physically present.
Because SimpleHelp servers often provide privileged access to many customer systems, vulnerabilities in the platform can be particularly dangerous. If attackers compromise a SimpleHelp server, they may gain the same level of access as legitimate technicians, potentially allowing them to move laterally across networks, deploy malware, or steal sensitive data.
“The vulnerability identified affects servers configured to use either version of OIDC and is rooted in the way…
