SimpleHelp bug lets attackers bypass MFA for rogue technician accounts

CVE-2026-48558 SimpleHelp – A critical SimpleHelp vulnerability, tracked as CVE-2026-48558, allows unauthenticated attackers to create privileged technician accounts through OpenID Connect (OIDC) and log in without multi-factor authentication. The flaw affects SimpleHelp versions 5.5.15

For organizations that use SimpleHelp to manage endpoints, the danger isn’t just that a hacker might break in. It’s how easily they can step into a role meant for trusted technicians.

The problem centers on a vulnerability in SimpleHelp remote management software that lets unauthenticated attackers create privileged technician accounts on servers using the OpenID Connect (OIDC) authentication protocol.

The flaw is tracked as CVE-2026-48558 and was given a critical severity rating. It affects SimpleHelp versions 5.5.15 and older, as well as 6.0 pre-release versions. Researchers at Horizon3.ai say the issue comes down to how identity assertions received from an OIDC identity provider (IdP) are validated.

With OIDC authentication enabled, an unauthenticated attacker can create and log in as a new Technician user without needing to go through the multi-factor authentication (MFA) process.

“This Technician, by default, can perform privileged management activities such as remoting into managed endpoints, executing scripts, and more,” Horizon3.ai researcher Zach Hanley explained.

SimpleHelp moved quickly to close the gap. The company fixed the vulnerability on June 9 by releasing versions 5.5.16 and 6.0RC2 of the product.

Not every exposed server is automatically vulnerable, however. CVE-2026-48558 doesn’t impact every SimpleHelp installation running a vulnerable version; it affects a subset that relies on the OIDC protocol. including both the generic OIDC setup and Azure AD OIDC—configurations that are common in large enterprises.

The researchers list clear prerequisites for the exploit to work: OIDC authentication must be enabled; at least one Technician Group must be associated with the OIDC provider; and that group must have “Allow group authenticated logins” enabled.

When they looked at the public internet, results from Shodan showed about 14,000 SimpleHelp servers exposed. A random sample suggested roughly 7.2% are configured to use OIDC authentication. Horizon3.ai also found “Allow group authenticated logins” is enabled in many cases. which means the conditions for abuse may be present more often than teams would expect.

The gap between “exposed to the internet” and “exploitable through CVE-2026-48558” is where the real risk sits. The ability to create a technician account and avoid MFA turns an authentication mechanism into a doorway—one that doesn’t require the attacker to be authenticated at all.

If teams can’t immediately patch, a mitigation is to restrict technician login sources using IP-based allowlists. Otherwise, the direct path out is simple: update to the latest SimpleHelp releases that address the issue.

Horizon3.ai also shared indicators of compromise that can help detect active exploitation. including new authenticated technician users with unknown or suspicious names and/or email addresses. Logs may offer additional clues: the files at ‘/opt/SimpleHelp/logs/server.log’ and ‘/opt/SimpleHelp/logs//server.log’ may contain technician registrations. email addresses. and configuration changes performed by rogue accounts.

Neither SimpleHelp nor Horizon3.ai has reported evidence of active exploitation. Still, the researchers warn that because the product has historically drawn significant threat actor interest, organizations should apply the available fixes or mitigations without delay.

SimpleHelp CVE-2026-48558 OIDC OpenID Connect MFA bypass remote management software Horizon3.ai Zach Hanley cybersecurity vulnerability technician accounts Shodan