CVE-2026-48558 is a critical authentication bypass vulnerability in SimpleHelp Remote Monitoring and Management (RMM) software stemming from improper validation of OpenID Connect (OIDC) token signatures when group-authenticated login is enabled. Attackers exploit this flaw to forge identity tokens, bypass multi-factor authentication (MFA), and provision rogue technician-level administrator accounts. This unauthorized privileged access allows for the mass deployment of "Djinn Stealer," a cross-platform information stealer targeting Windows and macOS, across all managed endpoints. This creates a significant supply-chain risk for Managed Service Providers (MSPs) and their clients, enabling widespread credential theft and lateral movement.
-
Vulnerability Overview: CVE-2026-48558
- Critical flaw resides in the SimpleHelp RMM authentication module.
- Triggered specifically when "group-authenticated login" settings are active.
- Allows unauthenticated attackers to assume administrative identities and gain full server control.
-
Technical Mechanics: OIDC Token Forgery
- The vulnerable implementation fails to properly verify the signatures of OIDC identity tokens.
- Threat actors generate forged tokens to impersonate legitimate users and bypass authentication.
- The exploit effectively nullifies MFA protections, granting immediate, high-privileged access.
-
Post-Exploitation: Payload Delivery
- Attackers create persistent rogue technician accounts to maintain access and evade detection.
- Legitimate RMM management capabilities are weaponized to push malware to all managed endpoints.
- Deployment of "Djinn Stealer," a cross-platform binary targeting both Windows and macOS.
-
Impact and Risk Profile
- Full administrative takeover of SimpleHelp RMM infrastructure.
- High probability of secondary compromise across multiple distinct client environments managed by a single MSP.
- Facilitates large-scale credential exfiltration and lateral movement via trusted RMM channels.
-
Detection and Remediation
- Audit SimpleHelp server logs for unauthorized OIDC logins and the creation of unknown technician accounts.
- Monitor for C2 communication patterns and binary signatures associated with Djinn Stealer.
- Immediately update SimpleHelp RMM to the latest patched version to remediate the OIDC validation logic.
Related posts
- bleepingcomputer.com — SimpleHelp bug lets hackers create rogue remote support accounts
- arcticwolf.com — CVE-2026-48558: Critical Authentication Bypass Vulnerability in SimpleHelp RMM Exploited for Credential Theft and Malware Delivery
- Horizon3
- Horizon3
- threat-modeling.com — SimpleHelp Remote Support Platform: Unauthorized Administrator Account Creation Vulnerability
- fieldeffect.com — SimpleHelp flaw could enable broader compromise across managed environments
- Ampcuscyber
- Scworld
- Beazley
- Its
- bleepingcomputer.com — Critical SimpleHelp flaw exploited to deploy new stealer malware
- Expert In the Cloud — Djinn Stealer Malware
- Github
- Cisecurity
- Sentinelone
- Securityweek
- Thehackernews
- Scworld
- Helpnetsecurity
- Blackpointcyber
- Devops
- Infosecurity-magazine
- Socradar
- Securityweek
- Techrepublic
- Mallory
- Thehackernews
- Arcticwolf
- Microsoft
- Cybersecuritynews
- Its