Authentication Bypass Vulnerability in SimpleHelp by SimpleHelp
CVE-2026-48558

9.5CRITICAL

Key Information:

Vendor

Simplehelp

Vendor
CVE Published:
12 June 2026

Badges

📈 Score: 905💰 Ransomware👾 Exploit Exists🟡 Public PoC🦅 CISA Reported📰 News Worthy

What is CVE-2026-48558?

CVE-2026-48558 is a notable vulnerability found within SimpleHelp, a remote support software designed to enable secure access and assistance for users. The vulnerability is rooted in the OpenID Connect (OIDC) authentication flow, specifically affecting versions 5.5.15 and earlier, along with pre-release versions of 6.0. This flaw allows a remote, unauthenticated attacker to submit forged identity tokens that bypass the necessary cryptographic signature verification. As a result, attackers can gain unauthorized access to a fully authenticated technician session without needing to interact with the targeted system. This situation is exacerbated in certain configurations, as it may allow bypassing multi-factor authentication mechanisms as well, heightening the security risk.

Potential impact of CVE-2026-48558

  1. Unauthorized Access: This vulnerability enables attackers to achieve unauthorized access to sensitive technician-level sessions, allowing them to manipulate or retrieve confidential information without legitimate credentials.

  2. Bypassing Multi-Factor Authentication: The potential to bypass multi-factor authentication means that even organizations employing strong security protocols could find their defenses undermined, increasing the vulnerability of systems even further.

  3. Increased Risk of Exploitation: Given the nature of the vulnerability, it poses a significant risk for active exploitation. Attackers may leverage this flaw to gain control over systems, leading to data breaches, potential ransom demands, and significant operational disruption.

CISA has reported CVE-2026-48558

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-48558 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Affected Version(s)

SimpleHelp 5.5.0

SimpleHelp 5.5.0 < 5.5.16

SimpleHelp 6.0 < 6.0 RC2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

CISA Warns of SimpleHelp Authentication Bypass Vulnerability Exploited in Attacks - IT Security News

CISA has issued a warning about a critical authentication bypass vulnerability in SimpleHelp that is actively being exploited in the wild, raising concerns among organizations relying on the remote support software. The vulnerability, tracked as CVE-2026-48558, affects SimpleHelp deployments configu...

2 days ago

CISA Adds Actively Exploited SimpleHelp Vulnerability to KEV Catalog - IT Security News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical vulnerability in SimpleHelp, tracked as CVE-2026-48558, and added it to its Known Exploited Vulnerabilities (KEV) catalog. This indicates that the vulnerability is actively being exploited in the wild,…Read mo...

2 days ago

IT Security News Weekly Summary July - IT Security News

210 posts were published in the last hour 21:55 : IT Security News Daily Summary 2026-06-30 21:2 : Silent Swap Uses Fake Chrome Extension to Steal Crypto 21:2 : Watch out for “high paying, low effort” Amazon job texts 20:32…Read more →

3 days ago

References

CVSS V4

Score:
9.5
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 💰

    Used in Ransomware

  • 🦅

    CISA Reported

  • 📰

    First article discovered by BleepingComputer

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Zach Hanley (@hacks_zach) of Horizon3.ai
.