Which versions of SimpleHelp are affected by CVE-2026-48558?

SimpleHelp versions 5.5.15 and earlier contain a critical authentication bypass that allows remote unauthenticated attackers to forge identity tokens and obtain fully authenticated technician…. A patch is available.

Is there a public PoC exploit available for CVE-2026-48558?

Yes, a public proof-of-concept exploit is available for CVE-2026-48558. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2026-48558?

24 hours: Audit all SimpleHelp instances to identify versions 5.5.15 and prior or 6.0 pre-release builds. 7 days: Implement firewall-level network segmentation restricting SimpleHelp access; enforce IP whitelisting for technician endpoints; enable comprehensive authentication and session event logging with alerting for anomalous patterns. 30 days: Monitor vendor communications for first patched release; develop and test upgrade plan; escalate to SimpleHelp support for patch timeline if critical deployments at risk.

SimpleHelp CVE-2026-48558

Q: What is the CVSS score of CVE-2026-48558?

CVE-2026-48558 has a CVSS 4.0 base score of 9.5 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

EUVD-2026-36509 CRITICAL

Improper Verification of Cryptographic Signature (CWE-347)

2026-06-12 VulnCheck

GHSA-m93h-gjv2-fmq2

Jwt Attack Authentication Bypass Simplehelp

9.5

CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY

9.5 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

10.0 CRITICAL

Remote unauthenticated forged JWT yields technician session controlling managed endpoints, so S:C with full CIA impact; AC:L because signature check is simply absent once OIDC is enabled.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

Jun 12, 2026 - 19:01 EUVD

Analysis Generated

Jun 12, 2026 - 18:15 vuln.today

DescriptionCVE.org

SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. No user interaction is required.

AnalysisAI

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attackers to forge OIDC identity tokens and obtain fully authenticated technician sessions, because the server accepts ID tokens without verifying their cryptographic signature. Publicly available exploit code exists and the flaw can also bypass MFA in some configurations, making vulnerable remote-support deployments a high-priority target despite no current CISA KEV listing.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify exposed SimpleHelp server with OIDC

Delivery

Forge JWT with target technician claims

Exploit

POST token to OIDC login endpoint

Install

Server skips signature verification

Receive authenticated technician session cookie

Execute

Use console to push commands to managed endpoints

Impact

Deploy ransomware or exfiltrate data

Recon

Identify exposed SimpleHelp server with OIDC

Delivery

Forge JWT with target technician claims

Exploit

POST token to OIDC login endpoint

Install

Server skips signature verification

Receive authenticated technician session cookie

Execute

Use console to push commands to managed endpoints

Impact

Deploy ransomware or exfiltrate data

Vulnerability AssessmentAI

Exploitation	Exploitation requires that the SimpleHelp server be running version 5.5.15 or earlier (or a 6.0 pre-release) AND be configured to use OIDC authentication for the technician console; instances using only built-in local accounts are not exposed via this code path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This is a genuine top-priority issue, not a high-CVSS-low-real-risk case. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker locates an internet-exposed SimpleHelp server with OIDC enabled (Shodan/Censys fingerprinting), crafts a JWT whose payload claims a valid technician's subject/email and uses any signature (or 'alg:none'), and POSTs it to the OIDC callback. Because the signature is never verified, the server issues a fully authenticated technician session, after which the attacker uses SimpleHelp's built-in remote-access tooling to push commands or files to every connected endpoint - a path that the publicly available Horizon3 PoC demonstrates end-to-end.
Remediation	Patch available per vendor advisory at https://simple-help.com/security/simplehelp-security-update-2026-05 - upgrade SimpleHelp to the fixed release listed there (a specific fixed version is not independently confirmed in the supplied data, so consult the advisory for the exact build number) and review the Horizon3 IOC writeup at https://horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs/ for compromise indicators before resuming production use. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all SimpleHelp instances to identify versions 5.5.15 and prior or 6.0 pre-release builds. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10795 HIGH This Week POC

8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat

CVE-2026-41005 CRITICAL Act Now

9.0 Jun 11

Authentication bypass in Cloud Foundry UAA (User Account and Authentication) versions 2.0.0 through 78.13.0 allows remot

CVE-2026-52754 HIGH This Week

8.7 Jun 10

Authentication bypass in NSA Ghidra versions prior to 12.1 allows any holder of a valid CA-signed certificate to imperso

CVE-2026-50010 HIGH This Week

7.5 Jun 12

TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuild

CVE-2026-50634 MEDIUM This Month

6.5 Jun 11

Signature metadata trust bypass in Apache CXF's JwsJsonContainerRequestFilter allows an attacker who can send JWS JSON-s

CVE-2026-48558 vulnerability details – vuln.today

Back