SimpleHelp vulnerability allows unauthenticated attackers to create privileged accounts

Bleeping Computer reports that a critical vulnerability in the SimpleHelp remote management software, tracked as CVE-2026-48558, allows unauthenticated attackers to create privileged technician accounts on servers utilizing the OpenID Connect (OIDC) authentication protocol.

The flaw, affecting SimpleHelp versions 5.5.15 and older, and 6.0 pre-release versions, stems from improper validation of identity assertions from an OIDC identity provider. When OIDC is enabled, attackers can bypass multi-factor authentication to create and log in as a Technician, gaining access to privileged activities like remoting into endpoints and executing scripts. This vulnerability specifically impacts SimpleHelp servers configured with OIDC, including Azure AD OIDC, which are common in large enterprises. Prerequisites for exploitation include OIDC authentication being enabled, a Technician Group associated with the OIDC provider, and "Allow group authenticated logins" enabled for that group.

While an estimated 7.2% of publicly exposed SimpleHelp servers use OIDC, many are also configured with the necessary group settings. SimpleHelp has released versions 5.5.16 and 6.0RC2 to address the vulnerability. Organizations can mitigate the risk by updating their software or by restricting technician login sources via IP-based allowlists. Indicators of compromise include suspicious new technician accounts and specific log entries. While no active exploitation has been reported, the product's history of attracting threat actor interest necessitates prompt patching or mitigation.

Source: Bleeping Computer