SimpleHelp bug lets hackers create rogue remote support accounts

At a glance:

• Critical vulnerability CVE-2026-48558 in SimpleHelp allows unauthenticated creation of privileged technician accounts via OIDC.
• Affected versions: SimpleHelp 5.5.15 and earlier, plus 6.0 pre‑release; patched in 5.5.16 and 6.0RC2 released June 9.
• Roughly 7.2 % of ~14,000 internet‑exposed SimpleHelp servers use OIDC, and many have the required “Allow group authenticated logins” setting enabled.

Vulnerability details

The flaw stems from insufficient validation of identity assertions returned by an OpenID Connect identity provider. When OIDC authentication is enabled, an unauthenticated attacker can register a new Technician user and log in without completing multi‑factor authentication. According to Horizon3.ai researcher Zach Hanley, the resulting Technician account inherits default privileged capabilities such as remote control of managed endpoints and script execution.

SimpleHelp addressed the issue on June 9 by shipping versions 5.5.16 and 6.0RC2. The vulnerability receives a critical severity rating because it grants full administrative access to the remote management console, a high‑value target for threat actors.

Affected configurations and exposure

Exploitation requires three conditions: OIDC authentication must be turned on; at least one Technician Group must be linked to the OIDC provider; and that group must have “Allow group authenticated logins” enabled. Shodan scans reveal about 14,000 SimpleHelp servers reachable on the public internet, and a random sample indicates roughly 7.2 % of them are configured for OIDC. Horizon3.ai also observed that the “Allow group authenticated logins” option is frequently enabled in enterprise deployments, expanding the practical attack surface.

Organizations running vulnerable builds should prioritize inventory of any server meeting all three prerequisites, especially those integrated with Azure AD OIDC or generic OIDC providers common in large enterprises.

Mitigations and detection

The primary remediation is upgrading to SimpleHelp 5.5.16 or 6.0RC2, which contain the fix for CVE-2026-48558. If immediate patching is not feasible, administrators can restrict technician login sources with IP‑based allowlists to limit exposure. Horizon3.ai published indicators of compromise to aid detection: newly created technician accounts with unfamiliar names or email addresses, and log entries in “/opt/SimpleHelp/logs/server.log” or dated log directories showing technician registrations, email changes, or configuration modifications performed by rogue accounts.

Monitoring these logs and correlating unexpected technician provisioning with authentication events can reveal active exploitation attempts.

Threat context and recommendations

Neither SimpleHelp nor Horizon3.ai has reported confirmed active exploitation, yet the product has a history of attracting significant threat‑actor interest. Given the critical rating and the ease of weaponizing the OIDC flow, security teams should apply the patches or mitigations without delay. Continuous vulnerability scanning, enforcement of least‑privilege group settings, and regular review of OIDC integration configurations are recommended to reduce future risk.