CISA adds SimpleHelp CVE-2026-48558 to KEV after OIDC bypass exploited

CISA added CVE-2026-48558, the SimpleHelp OIDC authentication bypass, to its Known Exploited Vulnerabilities catalog on June 29, 2026, in a single-CVE alert. The listing is the agency's first public signal that the flaw is being used in the wild against deployed RMM servers. CVSS is 10.0. SimpleHelp and Horizon3.ai, which discovered and disclosed the bug on June 16, had until now said they had no confirmed in-the-wild exploitation.

What's affected

The flaw is an OIDC identity-token verification bypass on SimpleHelp servers configured with OpenID Connect SSO for technicians. The server accepts JWT identity assertions without verifying the cryptographic signature — an unauthenticated attacker mints a token containing arbitrary identity claims, presents it at login, and receives a fully authenticated Technician session. If the deployment enforces MFA, that protection is bypassed too: first-login self-enrollment lets the attacker register their own MFA factor before policy kicks in.

Per the Horizon3.ai write-up and the CCB Belgium advisory, several preconditions must hold for the bypass to fire:

• at least one OIDC identity provider is configured on the SimpleHelp server,
• a TechnicianGroup is mapped to that OIDC provider, and
• the TechnicianGroup has "Allow group authenticated logins" enabled.

Affected releases: SimpleHelp 5.5.15 and earlier in the 5.x branch, and 6.0 pre-release builds before RC2. Fixed in 5.5.16 (stable) and 6.0 RC2, both released June 9, 2026.

Shodan exposure numbers cited in the disclosure window put roughly 14,000 SimpleHelp servers on the public internet, with around 7.2% running OIDC — i.e. ~1,000 servers in the direct blast radius before any downstream MSP fleet is counted.

Exploitation status

What's new today is the KEV addition itself. CISA promotes a CVE to KEV only when it has corroborated evidence of active exploitation against operational targets — the agency does not generally publish the underlying telemetry alongside the listing. The KEV entry carries the CVE, the short title, the date added (2026-06-29), and an FCEB remediation deadline of 2026-07-20. No IOC bundle, no named threat actor, no campaign attribution yet.

Horizon3.ai's June 16 disclosure included a technical walk-through but stopped short of dropping a PoC. Anyone with a copy of 5.5.15 and the diff against 5.5.16 has enough to write one — the issue is JWT signature verification, and the diff is small.

Action checklist

1. Patch now. 5.x → 5.5.16. 6.0 pre-release → 6.0 RC2. Both releases shipped on June 9 — there is no excuse for an unpatched OIDC-enabled SimpleHelp three weeks later.
2. If you can't patch this hour, disable OIDC group logins. Turn off "Allow group authenticated logins" on every TechnicianGroup mapped to an OIDC provider. That removes one of the three preconditions and neutralises the bypass until the version bump lands.
3. Restrict technician logins by source IP. SimpleHelp's Administration → Login Security panel allowlists IPs for technician auth. That bound the blast radius before the patch existed and remains a sensible defense-in-depth control after.
4. Audit Technician accounts. Anyone with rights but no clear owner — especially accounts whose first login came in via OIDC since the patch shipped on June 9 — should be treated as suspect. Remove them, then reset MFA factors on the remainder.
5. Hunt the downstream endpoints. A SimpleHelp Technician session grants remote control and arbitrary script execution on every enrolled endpoint. A successful bypass means the MSP's customer fleet is the real attack surface — review remote-session logs and script-run history on endpoints since May 1 for unexpected technician sessions, paying particular attention to off-hours activity and to sessions originating from technician accounts not previously used.

Context

RMM tools sit at the centre of MSP-managed environments, and that's exactly why they keep showing up on KEV — one compromised server is the access path to every customer the MSP serves. The pattern mirrors the LiteSpeed cPanel symlink CVE-2026-54420 added to KEV in May and the Cisco Unified CM CVE-2026-20230 webshell escalation we covered last week: a critical-class flaw in management-plane software ships a patch, a couple of weeks pass, evidence of in-the-wild exploitation accumulates, CISA formalises the listing, and the unpatched long tail becomes the problem.

The window to patch quietly closed when CISA promoted this CVE. From here, every unpatched OIDC-configured SimpleHelp is in scope for opportunistic mass scanning, and the FCEB deadline of July 20 is the floor — the private-sector deadline is "today."