← Back to Daily Briefing

CVE-2026-48558 is a critical authentication bypass vulnerability in SimpleHelp Remote Monitoring and Management (RMM) software stemming from improper validation of OpenID Connect (OIDC) token signatures when group-authenticated login is enabled. Attackers exploit this flaw to forge identity tokens, bypass multi-factor authentication (MFA), and provision rogue technician-level administrator accounts. This unauthorized privileged access allows for the mass deployment of "Djinn Stealer," a cross-platform information stealer targeting Windows and macOS, across all managed endpoints. This creates a significant supply-chain risk for Managed Service Providers (MSPs) and their clients, enabling widespread credential theft and lateral movement.

  • Vulnerability Overview: CVE-2026-48558

    • Critical flaw resides in the SimpleHelp RMM authentication module.
    • Triggered specifically when "group-authenticated login" settings are active.
    • Allows unauthenticated attackers to assume administrative identities and gain full server control.
  • Technical Mechanics: OIDC Token Forgery

    • The vulnerable implementation fails to properly verify the signatures of OIDC identity tokens.
    • Threat actors generate forged tokens to impersonate legitimate users and bypass authentication.
    • The exploit effectively nullifies MFA protections, granting immediate, high-privileged access.
  • Post-Exploitation: Payload Delivery

    • Attackers create persistent rogue technician accounts to maintain access and evade detection.
    • Legitimate RMM management capabilities are weaponized to push malware to all managed endpoints.
    • Deployment of "Djinn Stealer," a cross-platform binary targeting both Windows and macOS.
  • Impact and Risk Profile

    • Full administrative takeover of SimpleHelp RMM infrastructure.
    • High probability of secondary compromise across multiple distinct client environments managed by a single MSP.
    • Facilitates large-scale credential exfiltration and lateral movement via trusted RMM channels.
  • Detection and Remediation

    • Audit SimpleHelp server logs for unauthorized OIDC logins and the creation of unknown technician accounts.
    • Monitor for C2 communication patterns and binary signatures associated with Djinn Stealer.
    • Immediately update SimpleHelp RMM to the latest patched version to remediate the OIDC validation logic.

Related posts

  1. bleepingcomputer.com — SimpleHelp bug lets hackers create rogue remote support accounts
  2. arcticwolf.com — CVE-2026-48558: Critical Authentication Bypass Vulnerability in SimpleHelp RMM Exploited for Credential Theft and Malware Delivery
  3. Horizon3
  4. Horizon3
  5. threat-modeling.com — SimpleHelp Remote Support Platform: Unauthorized Administrator Account Creation Vulnerability
  6. fieldeffect.com — SimpleHelp flaw could enable broader compromise across managed environments
  7. Ampcuscyber
  8. Cve
  9. Scworld
  10. Beazley
  11. Its
  12. Reddit
  13. bleepingcomputer.com — Critical SimpleHelp flaw exploited to deploy new stealer malware
  14. Expert In the Cloud — Djinn Stealer Malware
  15. Github
  16. Cisecurity
  17. Sentinelone
  18. Securityweek
  19. Thehackernews
  20. Scworld
  21. Helpnetsecurity
  22. Blackpointcyber
  23. Devops
  24. Infosecurity-magazine
  25. Socradar
  26. Securityweek
  27. Security Affairs
  28. Techrepublic
  29. Mallory
  30. Thehackernews
  31. Arcticwolf
  32. Microsoft
  33. Cybersecuritynews
  34. Its

LINK COPIED TO CLIPBOARD