(TLP:CLEAR) Vulnerability Notification – SimpleHelp RMM Authentication Bypass Exploited, CVE-2026-48588
Created: Wednesday, July 1, 2026 - 10:23
Categories: Cybersecurity, Security Preparedness
ACTION MAY BE REQUIRED for utilities using SimpleHelp Remote Monitoring and Management (RMM) software configured with OpenID Connect (OIDC) authentication. Utilities that outsource technology support may need to consult their service providers for assistance with remediation actions.
Summary: A critical authentication bypass vulnerability affecting SimpleHelp Remote Monitoring and Management (RMM) software is being actively exploited in the wild. Tracked as CVE-2026-48558 (CVSS 10.0), the vulnerability affects SimpleHelp servers configured to use generic OIDC or Azure Active Directory OIDC authentication and allows an unauthenticated attacker to submit a forged identity token to obtain a fully authenticated “Technician” session. In some configurations, this also bypasses multi-factor authentication. Technician accounts created through this method can remotely access managed endpoints, execute scripts, and perform other privileged administrative actions.
According to Blackpoint Cyber, an unidentified threat actor has exploited this flaw to deploy two previously unreported malware families, TaskWeaver and Djinn Stealer, across compromised SimpleHelp deployments.
Analyst Note: This is especially concerning for utilities because RMM platforms like SimpleHelp typically provide centralized, trusted administrative access across many downstream endpoints. A single compromised server can expose every managed network to lateral movement, credential theft, and ransomware deployment. CISA has previously documented this pattern: its advisory on a related SimpleHelp vulnerability describes ransomware actors leveraging unpatched SimpleHelp RMM instances to compromise a utility billing software provider and its downstream customers. CISA has also added CVE-2026-48558 to its Known Exploited Vulnerabilities (KEV) Catalog.
SimpleHelp has released fixes for the vulnerability. Affected versions include SimpleHelp 5.5.15 and earlier, and all 6.0 pre-release versions, are affected. Upgrading to SimpleHelp 5.5.16 or 6.0 RC2 remediates the issue.
WaterISAC strongly encourages members to review SimpleHelp’s security advisory, determine whether SimpleHelp RMM is deployed in their environment (directly or through a third-party vendor or MSP) and upgrade to a patched version immediately. Additional recommended actions include:
- Confirm whether OIDC authentication is enabled and review its configuration.
- Review SimpleHelp Technician account activity and server logs for signs of unauthorized account creation or suspicious access.
- If immediate patching is not possible, restrict Technician authentication to approved source IP addresses.
- Review published indicators of compromise from Blackpoint Cyber and Horizon3.ai.
Additional Reading:
- CVE-2026-48558: SimpleHelp Authentication Bypass Indicators of Compromise
- Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer
- Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider
Related WaterISAC PIRs: 6, 8, 10
