Vulnerability Analysis

CVE-2026-48558: SimpleHelp OIDC Authentication Bypass — Maximum Severity RMM Takeover

Executive Summary

CVE-2026-48558 is a maximum-severity (CVSS 10.0) authentication bypass in SimpleHelp Remote Monitoring and Management (RMM) software that lets an unauthenticated attacker forge an OpenID Connect (OIDC) identity token and obtain a fully privileged technician session — no credentials required. Active exploitation began in June 2026 with attackers deploying the Djinn Stealer infostealer and TaskWeaver loader to compromise managed endpoints. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog with a remediation deadline of July 2, 2026 — today. Patch immediately or take the server offline.


1. What Is This Vulnerability?

SimpleHelp RMM supports OpenID Connect (OIDC) as a login mechanism, allowing technicians to authenticate via external identity providers such as Azure Active Directory or any generic OIDC provider. The vulnerability exists because SimpleHelp fails to verify the cryptographic signature on inbound OIDC identity tokens.

In a correctly implemented OIDC flow, the server validates the JWT (JSON Web Token) signature against the public key published by the identity provider. If the signature is valid, the server trusts the claims inside — including the user's identity, group membership, and role. SimpleHelp skipped this check, meaning any caller can craft an arbitrary JWT with any identity claims and SimpleHelp will accept it as legitimate.

Attack Vector

The attack is fully unauthenticated and requires no prior knowledge beyond knowing that the target SimpleHelp server uses OIDC. The steps are:

  1. Attacker crafts a forged OIDC JWT asserting technician-level privileges (e.g., group membership that maps to the "Technician" role).
  2. Attacker submits the forged token to the SimpleHelp OIDC login endpoint.
  3. SimpleHelp accepts the token without signature verification, creates or logs in as a privileged Technician account, and issues a session cookie.
  4. Attacker now has full technician access: remote into managed endpoints, execute scripts, install software, and access all data visible to managed devices.

When the server is configured for group-authenticated login, the forged token also bypasses any multi-factor authentication requirements, since the MFA check is only applied to password-based logins.

Real-World Impact

By late June 2026, threat actors were actively exploiting this vulnerability in a multi-stage intrusion chain:

  • Stage 1 — Initial Access: Forge OIDC token → gain technician session on exposed SimpleHelp server.
  • Stage 2 — Loader Delivery: Deploy TaskWeaver, an obfuscated Node.js loader masquerading as jquery.js, executed via a command pattern consistent with node.exe jquery.js.
  • Stage 3 — Infostealer: TaskWeaver drops Djinn Stealer, which targets cloud and AI API keys, environment variables (env.json), running process lists (processList.txt), browser-stored credentials, and session tokens.
  • Stage 4 — C2 Communication: Djinn Stealer beacons to attacker-controlled infrastructure via Cloudflare Tunnel lookalike domains (e.g., dev-tunnels variants), making C2 traffic difficult to distinguish from legitimate traffic.

Approximately 14,000 SimpleHelp servers were exposed to the public internet at the time of disclosure, of which roughly 7.2% were configured with the vulnerable OIDC authentication method.


2. Who Is Affected?

Component Vulnerable Versions Patched Versions
SimpleHelp Server ≤ 5.5.15 5.5.16+
SimpleHelp Server ≤ 5.6.8 5.6.9+
SimpleHelp Server 6.0 pre-release (< RC2) 6.0 RC2+

Affected configurations:

  • Any SimpleHelp server with OIDC authentication enabled (Administration → Login Security → OIDC).
  • Specifically impactful when group-authenticated OIDC login is enabled, as this route also bypasses MFA.
  • Servers using standard username/password login without OIDC are not directly affected by this specific bypass, though they may still be exposed to other SimpleHelp vulnerabilities.

Exposure:

  • Internet-facing SimpleHelp servers are at highest risk.
  • Internal servers behind VPNs have reduced but non-zero exposure if internal threat actors exist.

3. How to Detect It (Testing)

Manual Testing Steps

  1. Identify OIDC configuration: Log in to the SimpleHelp server as an admin. Navigate to Administration → Login Security. If any OIDC provider (Azure AD or Generic OIDC) is configured and enabled, the server is potentially vulnerable.

  2. Check your SimpleHelp version: Navigate to Administration → About to confirm the running version. Any version below 5.5.16, 5.6.9, or 6.0 RC2 is vulnerable.

  3. Attempt forged token login (authorized testing only): Using a tool like jwt.io or the python-jose library, craft a JWT with no valid signature (or sign with a self-generated key). Submit it to the OIDC callback endpoint. If you receive an authenticated session, the server is vulnerable.

    # Example: craft unsigned/self-signed JWT (authorized pentest only)
    python3 -c "
    import json, base64
    header = base64.urlsafe_b64encode(json.dumps({'alg':'HS256','typ':'JWT'}).encode()).rstrip(b'=')
    payload = base64.urlsafe_b64encode(json.dumps({
        'sub': 'attacker',
        'email': 'attacker@example.com',
        'groups': ['Technicians'],
        'iat': 9999999999,
        'exp': 9999999999
    }).encode()).rstrip(b'=')
    print(f'{header.decode()}.{payload.decode()}.invalidsignature')
    "
    
  4. Review technician accounts: In Administration → Technicians, look for any accounts that do not correspond to known personnel, particularly accounts created recently via OIDC.

Automated Scanning

  • Tool: Horizon3.ai NodeZero or Tenable Nessus (with SimpleHelp plugin)

  • Tool: Nuclei with community templates — check for CVE-2026-48558 templates on ProjectDiscovery's template hub.

  • Command:

    nuclei -u https://your-simplehelp-server.example.com -tags cve-2026-48558
    
  • Expected output: A confirmed hit will indicate the OIDC endpoint accepted a forged token.

  • Shodan/Censys exposure check:

    # Shodan
    title:"SimpleHelp" port:443
    
    # Censys
    services.tls.certificates.leaf_data.subject.common_name:"simplehelp"
    

Code Review Checklist

  • Confirm SimpleHelp server version is 5.5.16+, 5.6.9+, or 6.0 RC2+
  • Verify OIDC is disabled if not actively required (Administration → Login Security)
  • Check technician account list for unauthorized entries
  • Review server logs for unexpected OIDC login events
  • Confirm IP allowlisting is applied to technician authentication (Administration → Login Security → Restrict by IP)
  • Verify no unknown node.exe processes or jquery.js files exist on managed endpoints

4. How to Fix It (Mitigation)

Step-by-Step Remediation

  1. Determine your current version (Administration → About).

  2. Download the patched version from the official SimpleHelp download page:

    • Target: 5.5.16, 5.6.9, or 6.0 RC2 (or later).
  3. Apply the update:

    # Stop SimpleHelp service (Linux)
    sudo systemctl stop simplehelp
    
    # Back up configuration
    sudo cp -r /opt/SimpleHelp/configuration /opt/SimpleHelp/configuration.bak
    
    # Replace JAR or run the installer depending on deployment method
    # Follow official SimpleHelp upgrade documentation for your OS
    
    # Restart
    sudo systemctl start simplehelp
    
  4. If patching is not immediately possible — temporary mitigations:

    • Disable OIDC: Administration → Login Security → disable all OIDC providers. This eliminates the attack surface for this specific vulnerability.
    • Restrict by IP: Administration → Login Security → restrict Technician logins to approved source IP addresses only.
    • Take offline: If neither option is feasible, shut down the SimpleHelp service or block internet access to the server until you can patch.
  5. Post-patch audit:

    • Review all Technician accounts and remove any that are unauthorized.
    • Rotate credentials for all Technician accounts as a precaution.
    • Audit recently connected endpoints for signs of lateral movement or infostealer activity.

Configuration Hardening

After patching, apply these settings to reduce future attack surface:

Setting Location Recommended Value
Restrict Technician login by IP Administration → Login Security Enable; add allowlist
Session timeout Administration → Server Settings 30 minutes or less
MFA for password logins Administration → Login Security Enforce for all technicians
Disable unused auth methods Administration → Login Security Disable OIDC if not needed
Expose server via VPN only Network/Firewall Block public internet access

5. How to Test the Fix (Validation)

Regression Test Scenarios

  • Scenario A: After patching, repeat the forged JWT test from Section 3. The server should reject the token with a 401 or 403 response. No session should be created.
  • Scenario B: Confirm that legitimate OIDC logins (with valid tokens from your identity provider) still work correctly — the fix should not break the authentication flow for valid users.
  • Scenario C: Attempt to log in via the OIDC endpoint without an identity provider configured — the endpoint should return an appropriate error, not an authenticated session.

Security Test Cases

Test Case 1: Verify the signature validation is enforced

  • Precondition: SimpleHelp updated to 5.5.16+ (or OIDC disabled).
  • Steps: Submit a self-signed or unsigned OIDC JWT to the login endpoint.
  • Expected Result: Server returns HTTP 401 Unauthorized. No Technician session is established.

Test Case 2: Verify forged group claims are rejected

  • Precondition: SimpleHelp updated; OIDC remains enabled with group authentication.
  • Steps: Submit a JWT with a valid structure but forged group claims (e.g., fabricated "Technicians" group), signed with a key not registered with the identity provider.
  • Expected Result: Token rejected. No privileged session granted.

Test Case 3: Verify legitimate OIDC login still works

  • Precondition: SimpleHelp updated; OIDC configured with valid identity provider.
  • Steps: Complete a normal OIDC login flow using a real user account in the identity provider.
  • Expected Result: Login succeeds; session established with appropriate permissions.

Automated Validation

import requests
import base64
import json

def test_simplehelp_oidc_bypass(host):
    """
    Test CVE-2026-48558 — forged JWT should be rejected after patch.
    For authorized use in controlled environments only.
    """
    # Craft unsigned JWT
    header = base64.urlsafe_b64encode(json.dumps({"alg": "HS256", "typ": "JWT"}).encode()).rstrip(b"=")
    payload = base64.urlsafe_b64encode(json.dumps({
        "sub": "test-bypass",
        "email": "pentest@example.com",
        "groups": ["Technicians"],
        "iat": 9999999999,
        "exp": 9999999999
    }).encode()).rstrip(b"=")
    forged_token = f"{header.decode()}.{payload.decode()}.invalidsignature"
    
    # Attempt OIDC callback with forged token
    r = requests.post(
        f"https://{host}/oidc/callback",
        data={"id_token": forged_token},
        allow_redirects=False,
        verify=False
    )
    
    if r.status_code in (401, 403, 400):
        print(f"[PASS] {host}: Forged token rejected (HTTP {r.status_code}) — patch confirmed.")
    elif r.status_code in (200, 302):
        print(f"[FAIL] {host}: Forged token ACCEPTED (HTTP {r.status_code}) — VULNERABLE!")
    else:
        print(f"[INFO] {host}: Unexpected response (HTTP {r.status_code}) — manual review needed.")

# Usage:
# test_simplehelp_oidc_bypass("your-simplehelp-server.example.com")

6. Prevention & Hardening

Best Practices

  • Principle of least exposure: Never expose RMM servers directly to the public internet. SimpleHelp servers should be accessible only via VPN or dedicated management network.
  • Defense-in-depth for authentication: Even if OIDC is required, enforce IP-based restrictions and session timeouts to limit the blast radius of any auth bypass.
  • Update cadence: Subscribe to SimpleHelp security bulletins and apply patches within 24–48 hours for critical severity ratings. RMM platforms are high-value targets because they provide access to every managed endpoint.
  • Audit technician accounts regularly: Automated reviews of privileged accounts should run weekly at minimum. Any account not provisioned through your identity management process should trigger an alert.
  • Validate OIDC implementations: When evaluating any software that supports OIDC, verify in vendor documentation or code that token signature validation is enforced. "Supports OIDC" does not guarantee correct implementation.

Monitoring & Detection

Set up the following detection rules to identify exploitation attempts or post-exploitation activity:

SIEM rules:

# Detect suspicious Node.js execution consistent with TaskWeaver loader
rule: process_creation
  process.name: "node.exe"
  process.args contains: "jquery.js"
  alert: "Potential TaskWeaver loader — investigate immediately"

# Detect Djinn Stealer reconnaissance artifacts
rule: file_creation
  file.name in ["env.json", "processList.txt"]
  file.path not in expected_application_paths
  alert: "Djinn Stealer reconnaissance artifact detected"

# Detect outbound connections to Cloudflare Tunnel lookalike domains
rule: dns_query
  dns.question.name matches: /.*dev-tunnel.*\.(com|net|io)/
  alert: "Potential C2 via Cloudflare Tunnel lookalike"

SimpleHelp log monitoring:

  • Alert on any OIDC login event outside business hours or from unrecognized IP ranges.
  • Alert on new Technician account creation, especially when correlated with an OIDC login event.
  • Alert on any configuration changes (Administration section) by accounts not in your known-admin list.

Network detection:

  • Block outbound connections from RMM servers to non-approved destinations.
  • Monitor for node.exe spawning child processes or establishing outbound network connections on managed endpoints.

References

Latest from the blog

See all →