CISA added CVE-2026-48558, a critical authentication bypass in SimpleHelp Remote Monitoring and Management software, to its Known Exploited Vulnerabilities catalog with a July 2, 2026 remediation deadline. The bug carries a CVSS score of 10.0 and is already being used in the wild to deploy a previously undocumented infostealer, Djinn Stealer, via a loader called TaskWeaver.

The bug

SimpleHelp supports OpenID Connect (OIDC) as a login option for its Technician console. The server accepts identity tokens (ID Tokens / JWTs) presented during that flow but does not validate the token’s cryptographic signature. An attacker who can reach the login endpoint can forge a JWT with arbitrary identity claims — including group membership — and hand it to the server as if it came from a legitimate OIDC provider. SimpleHelp accepts it and issues a fully authenticated Technician session, no credentials or MFA required.

Three conditions have to be true for a given deployment to be exploitable: OIDC authentication is enabled, at least one OIDC provider is configured, and a Technician group has “Allow group authenticated logins” turned on for that provider. That’s a common configuration for MSPs and IT help desks that federate SimpleHelp login to an existing identity provider for convenience — exactly the deployments most exposed to the internet.

Affected: SimpleHelp 5.5.15 and earlier, plus all 6.0 pre-release builds. Fixed in 5.5.16 and 6.0 RC2, both released in late May 2026.

Technician accounts are privileged by default — they can remote into any managed endpoint and push scripts through the RMM’s built-in execution channel, which is the same mechanism legitimate support sessions use. A forged login is indistinguishable from a real one at the network level.

The payload: TaskWeaver + Djinn Stealer

Blackpoint Cyber, investigating an intrusion, found attackers exploiting CVE-2026-48558 against an internet-facing SimpleHelp server to establish a Technician session, then using it to drop TaskWeaver, a Node.js-based loader, which in turn deploys Djinn Stealer — a cross-platform (Windows, macOS, Linux) credential harvester.

Djinn Stealer’s target list is notably developer-centric: cloud platform credentials, source-control sessions, package-registry tokens, infrastructure-as-code secrets, browser-stored credentials, SSH keys, cryptocurrency wallets, and — unusually — local configuration and Model Context Protocol (MCP) files for AI coding assistants including Claude, Gemini, Codex, Cline, OpenCode, and Kilo. Before exfiltration, collected data is packed into a TAR archive, GZIP-compressed, and encrypted with an AES-256-GCM key wrapped in an RSA-2048 public key embedded in the TaskWeaver binary, then sent to a C2 server.

Impact

The immediate victim is whoever runs the exposed SimpleHelp server — but the real damage lands downstream. A stolen cloud API key, package-registry publishing token, source-control session, or SSH key survives independently of the compromised RMM box. An attacker holding one of those can re-enter an environment through a trusted channel days or weeks later, tamper with software before it ships, reach production data, or pivot into an MSP’s customer tenants — all without touching SimpleHelp again. Given SimpleHelp’s install base among MSPs managing hundreds of downstream endpoints per server, a single successful exploitation can cascade the same way January 2025’s SimpleHelp path-traversal chain did with DragonForce ransomware.

Mitigation

  1. Upgrade immediately to SimpleHelp 5.5.16 (5.x branch) or 6.0 RC2 (6.x branch). There is no workaround short of disabling OIDC login entirely.
  2. If OIDC can’t be patched immediately, disable “Allow group authenticated logins” on Technician groups, or disable OIDC login as an auth method until you’ve upgraded.
  3. Take internet-facing SimpleHelp consoles offline if remote technician access isn’t a hard requirement — this bug, like the January 2025 chain, is only reachable because instances are routinely exposed for convenience.
  4. Hunt for indicators: unexpected Technician accounts or sessions you didn’t provision, TaskWeaver/Node.js processes spawned from the SimpleHelp service account, outbound connections to unfamiliar C2 infrastructure, and TAR/GZIP artifacts staged for exfiltration. Horizon3.ai and Blackpoint have published IOCs.
  5. Treat any secrets accessible from an affected host as burned: rotate cloud keys, package-registry tokens, source-control sessions, SSH keys, and any AI-assistant MCP configuration that could have been read by Djinn Stealer. Assume persistence was established independent of the SimpleHelp server itself.

References