Threat Intelligence / vulnerability / TL-2026-1122SimpleHelp Authentication Bypass via Forged OIDC Tokens (CVE-2026-48558) Actively Exploited, Added to CISA KEV — Threadlinqs Intelligence Threat ID: TL-2026-1122 · Severity: CRITICAL · CVSS: 10 · Status: ACTIVE · Category: VULNERABILITY
CVE-2026-48558 is a maximum-severity (CVSS 10.0) authentication bypass in SimpleHelp remote support/RMM software configured with OpenID Connect (OIDC), caused by failure to verify the cryptographic
CVE-2026-48558 affects SimpleHelp deployments that have at least one OIDC identity provider configured, a Technician Group associated with that provider, and the "Allow group authenticated logins" setting enabled (including both generic OIDC and Azure AD OIDC configurations). In this configuration, SimpleHelp accepts identity tokens submitted during the OIDC login flow without verifying their cryptographic signature. A remote, unauthenticated attacker can therefore craft a forged identity/JWT-style token containing arbitrary identity claims and present it to the login endpoint to create and authenticate as a new, fully privileged "Technician" account. Because SimpleHelp allows technicians to self-register their own MFA method on first login, the forged-account path can also result in a full bypass of any configured multi-factor authentication.
Horizon3.ai's Zach Hanley, working through the firm's autonomous "Sua Sponte" AI-driven vulnerability research initiative, privately reported the flaw to SimpleHelp on 2026-05-22. SimpleHelp silently shipped fixed builds (5.5.16 and 6.0 RC2) around 2026-05-26, and Horizon3.ai publicly disclosed full technical detail and indicators of compromise on 2026-06-12. Internet-wide scanning at disclosure time found roughly 14,000 SimpleHelp servers exposed to the internet, of which approximately 7.2% (roughly 1,000 servers) were configured in the vulnerable OIDC/group-authentication mode.
On 2026-06-29, BlackPoint Cyber's Adversary Pursuit Group published "A Djinn in the Machine," documenting a real-world intrusion in which an attacker exploited CVE-2026-48558 against an internet-facing SimpleHelp server to obtain a forged Technician session, then abused the RMM's own remote file-transfer and remote-execution capabilities to push a malicious payload to managed endpoints. The payload was a 1.08 MB, single-line, heavily obfuscated Node.js file named "jquery.js" (to masquerade as the legitimate jQuery library), staged on a temporary Cloudflare Tunnel (trycloudflare.com) URL and executed via node.exe. This loader, dubbed TaskWeaver, fingerprints the host and establishes an encrypted, reusable command channel to a remote server at a.dev-tunnels[.]com, allowing the operator to push arbitrary follow-on JavaScript modules without modifying the loader itself.
TaskWeaver's primary observed payload is Djinn Stealer, a previously undocumented, cross-platform (Windows, macOS, Linux) information stealer that reuses TaskWeaver's obfuscation framework and embeds the identical RSA-2048 public key, tying the two families to the same operator. Djinn Stealer harvests cloud-provider credentials (AWS, Azure, Google Cloud, Oracle, Okta, Cloudflare), developer/DevOps credentials (GitHub, Git configuration, SSH private keys, Docker, Helm, npm, pip/PyPI, Cargo, Maven and other package-registry tokens), AI coding-assistant credentials (Claude, Gemini, Codex, Cline), cryptocurrency wallets (Bitcoin, Ethereum, Monero, Exodus, Atomic Wallet), browser-stored data, shell history, and PGP keys. On Linux hosts it additionally reads /proc/<pid>/cmdline and /proc/<pid>/environ to recover secrets embedded in running-process arguments and environment variables. Collected data is packed into a TAR archive, compressed with GZIP, and encrypted with AES-256-GCM using a key itself protected by an embedded RSA-2048 public key, before being exfiltrated to an attacker-controlled server at 96.126.130.126 on TCP port 58942.
CISA added CVE-2026-48558 to its Known Exploited Vulnerabilities (KEV) catalog on 2026-06-29 based on confirmed in-the-wild exploitation, triggering a Binding Operational Directive (BOD) 26-04 remediation deadline of 2026-07-02 for U.S. federal civilian agencies. Because SimpleHelp is widely deployed by managed service providers (MSPs) and IT service organizations to centrally administer client endpoints, a single compromised SimpleHelp instance can cascade into a multi-tenant supply-chain compromise, giving an attacker
Target sectors: technology, managedserviceproviders, softwaredevelopment, cross-sector
Target regions: Global, North America
Detections & IOCs This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 28 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans .
VULNERABILITY, CRITICAL, threat intelligence, cybersecurity, CVE-2026-48558, T1595, T1583, T1587, T1190, T1550, T1059, T1072, T1136, T1098, T1027