
SimpleHelp CVSS 10 Flaw Under Active Attack — Patch Now
July 2, 2026
SimpleHelp has a perfect 10.0 CVSS score sitting in it, and attackers are already using it. CISA's patch deadline is today, July 2. If you run SimpleHelp anywhere in your stack, stop reading and go patch first.
Here's what's going on.
The Flaw
CVE-2026-48558 is an authentication bypass in SimpleHelp's OIDC login flow. When OIDC is configured, the server accepts identity tokens without checking their cryptographic signature. That means an unauthenticated attacker can forge a token, spin up a Technician account, and walk away with admin control of the server.
SimpleHelp is remote monitoring and management (RMM) software — the kind of tool MSPs use to manage client endpoints at scale. One compromised RMM server hands the attacker every machine it manages: deploy software, run scripts, pull data, across every client org on that instance.
CISA added it to the Known Exploited Vulnerabilities catalog on June 29 with a 3-day remediation window under BOD 26-04. That window closes today.
What's Actually Happening in the Wild
An unidentified threat actor is exploiting the flaw to drop two previously unreported malware families: TaskWeaver, a loader, and Djinn Stealer, which does the credential harvesting once the loader's in place.
Exploitation started June 29, the same day the CVE hit the KEV catalog. This wasn't a slow-burn campaign — attackers moved on it almost immediately after disclosure.
What to Do Right Now
Patch. Progress has a fix out. If you can't patch immediately, disable OIDC authentication on the SimpleHelp server until you can — that removes the vulnerable code path entirely.
If your server has been internet-facing with OIDC enabled since June 29, treat it as potentially compromised. Check for unexpected Technician accounts, audit recent admin actions, and rotate credentials for anything the RMM server had reach into — that's every managed endpoint, not just the server itself.
Why This Matters Beyond SimpleHelp
This is the same shape of problem we keep seeing: a management tool sitting above a pile of trust gets one auth bug, and the blast radius is everything underneath it. Same pattern as the LangGraph RCE vulnerability from earlier this year — the tooling you trust to manage or orchestrate other systems is exactly where a single flaw does the most damage.
If you're an MSP or manage RMM tooling for clients, this is worth a wider audit pass — check what else in your management stack authenticates via OIDC and whether signature verification is actually being enforced, not just configured.
Sources: The Hacker News, Threat-Modeling.com
Frequently Asked Questions
What is CVE-2026-48558?
CVE-2026-48558 is a maximum-severity (CVSS 10.0) authentication bypass in SimpleHelp's OIDC login flow. The server accepts forged identity tokens without verifying their cryptographic signature, letting an unauthenticated attacker create an admin-level Technician account.
How is the SimpleHelp vulnerability being exploited?
Attackers are exploiting it to deploy two new malware families: TaskWeaver, a loader, and Djinn Stealer, a credential-harvesting payload. Exploitation began June 29, 2026, the same day CISA added the flaw to its Known Exploited Vulnerabilities catalog.
How do I fix the SimpleHelp CVE-2026-48558 vulnerability?
Patch immediately using the fix Progress has released. If you can't patch right away, disable OIDC authentication on the server to remove the vulnerable path, and treat any internet-facing instance that had OIDC enabled since June 29 as potentially compromised.
What is the CISA deadline for the SimpleHelp vulnerability?
CISA added CVE-2026-48558 to its Known Exploited Vulnerabilities catalog on June 29, 2026, with a 3-day remediation deadline under Binding Operational Directive 26-04. That deadline is July 2, 2026.