A critical flaw in SimpleHelp remote management software lets unauthenticated attackers create privileged technician accounts on servers using OpenID Connect, affecting version 5.5.15 and earlier and 6.0 pre-release builds, according to a technical analysis from Horizon3.ai.
KEY FACTS
- CVE The issue is tracked as CVE-2026-48558 and has a critical severity rating.
- Trigger The flaw affects servers that use OIDC authentication.
- Impact Attackers can create a new Technician user and log in without MFA.
- Fix SimpleHelp released versions 5.5.16 and 6.0RC2 on June 9.
The disclosure says the problem stems from how identity assertions from an OIDC identity provider are validated. When OIDC is enabled, a new Technician account can be created without first passing the multi-factor authentication step.
That account can then carry out privileged management actions such as remoting into managed endpoints and running scripts. The issue does not affect every vulnerable SimpleHelp deployment, only those that meet several conditions, including an associated Technician Group and enabled group-authenticated logins.
Horizon3.ai found about 14,000 SimpleHelp servers exposed to the public internet and said a random sample suggested roughly 7.2% used OIDC authentication. The report also said the group-authenticated logins option was enabled in many cases.
Organizations are advised to update to the fixed releases. If that is not possible, one mitigation is to restrict technician login sources with IP-based allowlists. The researchers also listed indicators of compromise, including new technician users with suspicious names or email addresses.
Logs in /opt/SimpleHelp/logs/server.log and /opt/SimpleHelp/logs/<YYYYMMDD-HHMMSS>/server.log may also show technician registrations, email addresses and configuration changes made by rogue accounts.
WHY IT MATTERS
The flaw can give an attacker direct access to remote support tools that are often used to manage many endpoints from one server. No active exploitation has been reported, but the product has previously drawn threat actor interest, making rapid patching and log review important.