What happened
A critical vulnerability in SimpleHelp remote management software can allow unauthenticated attackers to create privileged technician accounts on vulnerable servers using OpenID Connect authentication.
The flaw is tracked as CVE-2026-48558. It affects SimpleHelp versions 5.5.15 and older, as well as 6.0 pre-release versions.
Researchers at Horizon3.ai said the issue is caused by how identity assertions from an OpenID Connect identity provider are validated. When OpenID Connect authentication is enabled, an unauthenticated attacker can create and log in as a new technician user without going through the multi-factor authentication process.
That technician account can then perform privileged management activities, including remotely accessing managed endpoints and executing scripts.
SimpleHelp fixed the vulnerability on June 9 by releasing versions 5.5.16 and 6.0RC2.
The flaw does not affect every SimpleHelp server running a vulnerable version. Exploitation requires OpenID Connect authentication to be enabled, at least one technician group to be associated with the OpenID Connect provider, and group-authenticated logins to be allowed.
Shodan results show roughly 14,000 SimpleHelp servers exposed to the public internet. A random sample reviewed by researchers suggested that about 7.2% are configured to use OpenID Connect authentication.
Neither SimpleHelp nor Horizon3.ai has reported evidence of active exploitation. However, organizations are being advised to apply the available updates or mitigations because SimpleHelp has previously attracted significant threat actor interest.
Who is affected
Organizations running SimpleHelp versions 5.5.15 and older, or 6.0 pre-release versions, may be affected.
The highest-risk deployments are SimpleHelp servers that use OpenID Connect authentication, have at least one technician group associated with the identity provider, and allow group-authenticated logins.
Organizations with internet-exposed SimpleHelp servers are especially exposed because attackers could potentially create rogue technician accounts and use them to access managed endpoints or execute scripts.
Why CISOs should care
This vulnerability affects remote management software, which sits in a highly privileged position in enterprise environments. If attackers can create rogue technician accounts, they may gain the ability to remotely access managed endpoints and run scripts across systems.
The identity angle is especially important. The flaw allows attackers to bypass the normal authentication flow when certain OpenID Connect configurations are present. That means organizations cannot assume MFA alone protects the environment if the identity validation logic in the application can be abused.
The exposure data also matters. With roughly 14,000 SimpleHelp servers visible on the public internet and a subset using OpenID Connect, vulnerable configurations could provide attackers with a direct path into remote support infrastructure.
3 practical actions
- Upgrade affected SimpleHelp servers immediately: SimpleHelp fixed CVE-2026-48558 in versions 5.5.16 and 6.0RC2. CISOs should ensure vulnerable SimpleHelp deployments are upgraded to a fixed version, especially if the server is internet-exposed or uses OpenID Connect authentication.
- Restrict technician logins if patching is delayed: If immediate upgrading is not possible, organizations should restrict technician login sources using IP-based allowlists. This can reduce the risk of unauthenticated attackers reaching the affected login flow from untrusted networks.
- Hunt for rogue technician accounts and suspicious configuration changes: Researchers advised checking for newly authenticated technician users with unknown or suspicious names or email addresses. Security teams should review SimpleHelp logs for technician registrations, unexpected account creation, email changes, and configuration changes made by unfamiliar accounts.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.