A critical SimpleHelp flaw gives attackers a path to create technician accounts on exposed servers that use OpenID Connect, with access that can reach managed endpoints and scripts.
Attackers can exploit a critical SimpleHelp vulnerability to create privileged technician accounts on servers that use OpenID Connect authentication, giving them access to remote support functions that administrators use to manage endpoints.
The flaw, tracked as CVE-2026-48558, affects SimpleHelp 5.5.15 and older versions, along with 6.0 pre-release builds. SimpleHelp released fixes June 9 in versions 5.5.16 and 6.0RC2.
Horizon3.ai researcher Zach Hanley said the bug sits in the way SimpleHelp checks identity assertions from an OpenID Connect identity provider. With OIDC enabled, an unauthenticated attacker can create a new technician user and sign in without passing through multifactor authentication.
"This Technician, by default, can perform privileged management activities such as remoting into managed endpoints, executing scripts, and more," Hanley said.
That access makes the bug serious for organizations that use SimpleHelp to support fleets of laptops, servers and workstations. A technician account can give an intruder a direct route into devices that already trust the support platform.
Horizon3.ai said CVE-2026-48558 affects a subset of SimpleHelp deployments. A vulnerable version alone does not expose a server to this attack path. The server also needs OIDC authentication enabled, at least one technician group linked to the OIDC provider, and the setting that permits group authenticated logins.
Researchers checked internet exposure through Shodan and found about 14,000 SimpleHelp servers reachable from the public internet. Horizon3.ai sampled those systems and estimated that about 7.2% used OIDC authentication. The company also found the group login setting enabled in many cases.
Administrators should upgrade SimpleHelp servers to 5.5.16 or 6.0RC2. Teams that cannot patch at once should restrict technician login sources with IP allowlists, then schedule the upgrade as the main fix.
Security teams should also review SimpleHelp technician accounts for unknown names, unusual email addresses or accounts that appeared near June 9 or after. Horizon3.ai said SimpleHelp logs may show technician registrations, email addresses and configuration changes tied to rogue accounts.
Administrators can check /opt/SimpleHelp/logs/server.log and archived log paths such as /opt/SimpleHelp/logs/<YYYYMMDD-HHMMSS>/server.log for suspicious registration events. Teams should compare those events with identity provider logs, MFA records and help desk change tickets.
SimpleHelp and Horizon3.ai have not reported active exploitation. That should not slow patching. Remote monitoring and management tools attract attackers because they sit inside trusted administrative workflows and often hold broad access to endpoints.
Organizations that run SimpleHelp should treat this as an identity and endpoint access issue, not a narrow web bug. Rotate any credentials tied to suspicious technician accounts, disable accounts that administrators cannot verify and review script execution history from the SimpleHelp console.
Security teams should also check managed endpoints for support sessions that match unknown technician accounts. A successful attacker could use the platform to reach machines, run commands and blend activity into normal remote support traffic.
The practical response is clear: upgrade SimpleHelp, restrict technician login paths, audit technician accounts and review logs for new users or configuration changes. Teams that rely on OIDC should verify group mappings and remove broad login permissions that no longer need to exist.
Comments
Please log in or register to join the discussion