SimpleHelp CVE-2026-48558: when your RMM tool becomes the threat
Remote monitoring and management platforms sit at the top of the privilege chain. They have credentials for every endpoint they touch. So when one of them has a CVSS 10.0 authentication bypass, the blast radius is the entire managed fleet.
That is the situation with SimpleHelp today. CVE-2026-48558 was added to CISA's Known Exploited Vulnerabilities catalog with a Federal Civilian Executive Branch (FCEB) remediation deadline of July 2, 2026. That is today.
What is broken
SimpleHelp supports OpenID Connect (OIDC) for group-authenticated login. When OIDC is configured, the application is supposed to verify the signature on identity tokens before trusting them. It does not.
An unauthenticated attacker can forge an OIDC token, submit it to the server, and receive an authenticated Technician session in return. From that position, the attacker has administrative access to every endpoint managed through that SimpleHelp instance.
The vulnerability was disclosed by SimpleHelp in mid-June. Within days, Arctic Wolf and Blackpoint Cyber were documenting active exploitation.
What attackers are doing with it
Blackpoint Cyber documented the intrusion chain in detail. After establishing a Technician session, attackers deploy TaskWeaver, a Node.js-based implant. TaskWeaver then drops Djinn Stealer, a cross-platform credential harvester built to run on Windows, macOS, and Linux.
Djinn's target list is broad. It goes after cloud platform API tokens, GitHub and GitLab credentials, package registry keys, AI coding assistant session tokens, browser cookies, SSH keys, and cryptocurrency wallets. The emphasis on AI coding assistant credentials and source control access suggests attackers expect to find high-value development environment tokens on the managed endpoints of technology teams.
Internet exposure is significant. Approximately 14,000 SimpleHelp servers are externally reachable; around 1,000 are assessed to be directly vulnerable.
What to do right now
If you run SimpleHelp with OIDC enabled, treat this as a P0 incident. Patch to the latest version immediately. If you cannot patch within the next few hours, disable OIDC authentication and fall back to a local auth method until the patch is applied.
If you have already been exploited: look for TaskWeaver artifacts (Node.js processes spawned from the SimpleHelp service account), new Technician accounts created after June 16, and credential reuse across cloud platforms and source control systems.
CISA added this to the KEV catalog because exploitation is confirmed and broad. The 14,000 exposed servers are not all patched. Some percentage of them are compromised right now.
The wider point on RMM security
This is not the first time RMM platforms have been weaponized. ConnectWise ScreenConnect, AnyDesk, and now SimpleHelp have all seen critical vulnerabilities exploited at scale. RMM tools are crown-jewel infrastructure and they deserve commensurate hardening: network segmentation, authentication logging, and a patching SLA measured in hours, not the standard 30-day window.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you run managed services and want to discuss RMM hardening.