← Back to Intel Feed Snapshot (2026-07-02)

CVE-2026-48558 is a critical authentication bypass vulnerability in SimpleHelp Remote Monitoring and Management (RMM) software stemming from improper validation of OpenID Connect (OIDC) token signatures when group-authenticated login is enabled. Attackers exploit this flaw to forge identity tokens, bypass multi-factor authentication (MFA), and provision rogue technician-level administrator accounts. This unauthorized privileged access allows for the mass deployment of "Djinn Stealer," a cross-platform information stealer targeting Windows and macOS, across all managed endpoints. This creates a significant supply-chain risk for Managed Service Providers (MSPs) and their clients, enabling widespread credential theft and lateral movement.

  • Vulnerability Overview: CVE-2026-48558

    • Critical flaw resides in the SimpleHelp RMM authentication module.
    • Triggered specifically when "group-authenticated login" settings are active.
    • Allows unauthenticated attackers to assume administrative identities and gain full server control.
  • Technical Mechanics: OIDC Token Forgery

    • The vulnerable implementation fails to properly verify the signatures of OIDC identity tokens.
    • Threat actors generate forged tokens to impersonate legitimate users and bypass authentication.
    • The exploit effectively nullifies MFA protections, granting immediate, high-privileged access.
  • Post-Exploitation: Payload Delivery

    • Attackers create persistent rogue technician accounts to maintain access and evade detection.
    • Legitimate RMM management capabilities are weaponized to push malware to all managed endpoints.
    • Deployment of "Djinn Stealer," a cross-platform binary targeting both Windows and macOS.
  • Impact and Risk Profile

    • Full administrative takeover of SimpleHelp RMM infrastructure.
    • High probability of secondary compromise across multiple distinct client environments managed by a single MSP.
    • Facilitates large-scale credential exfiltration and lateral movement via trusted RMM channels.
  • Detection and Remediation

    • Audit SimpleHelp server logs for unauthorized OIDC logins and the creation of unknown technician accounts.
    • Monitor for C2 communication patterns and binary signatures associated with Djinn Stealer.
    • Immediately update SimpleHelp RMM to the latest patched version to remediate the OIDC validation logic.

Related posts

  1. bleepingcomputer.com — SimpleHelp bug lets hackers create rogue remote support accounts
  2. arcticwolf.com — CVE-2026-48558: Critical Authentication Bypass Vulnerability in SimpleHelp RMM Exploited for Credential Theft and Malware Delivery
  3. Horizon3
  4. Horizon3
  5. threat-modeling.com — SimpleHelp Remote Support Platform: Unauthorized Administrator Account Creation Vulnerability
  6. fieldeffect.com — SimpleHelp flaw could enable broader compromise across managed environments
  7. Ampcuscyber
  8. Scworld
  9. Beazley
  10. Its
  11. Reddit
  12. bleepingcomputer.com — Critical SimpleHelp flaw exploited to deploy new stealer malware
  13. Expert In the Cloud — Djinn Stealer Malware
  14. Github
  15. Cisecurity
  16. Sentinelone
  17. Securityweek
  18. Thehackernews
  19. Scworld
  20. Helpnetsecurity
  21. Blackpointcyber
  22. Devops
  23. Infosecurity-magazine
  24. Socradar
  25. Securityweek
  26. Techrepublic
  27. Mallory
  28. Thehackernews
  29. Arcticwolf
  30. Microsoft
  31. Cybersecuritynews
  32. Its

LINK COPIED TO CLIPBOARD