SimpleHelp is remote monitoring and management software that managed service providers use to reach into client systems, run scripts, and provide technical support at scale. That reach is precisely why CVE-2026-48558, a critical authentication bypass disclosed in June, is being treated as one of the more consequential MSP-focused vulnerabilities of the year.
How the bypass works
The flaw sits in how SimpleHelp validates OpenID Connect identity tokens during login. In affected builds, when OIDC authentication is configured, SimpleHelp accepts identity tokens without verifying their cryptographic signature. An attacker who understands this gap can forge a token and, under specific but far from rare configuration conditions, create a new “Technician” account and authenticate as it without ever supplying valid credentials.
A Technician account in SimpleHelp is not a low-privilege role. By default it can remote into every managed endpoint under that instance, execute scripts, and perform other administrative actions across the client base the MSP serves. Internet scans have identified roughly 14,000 externally exposed SimpleHelp servers, with an estimated 1,000 directly vulnerable to the specific OIDC configuration this bypass requires.
Active exploitation and MSP supply chain risk
Security researchers have confirmed active exploitation in the wild, with attackers using the bypass to deploy Djinn Stealer and TaskWeaver malware, tools designed to harvest cloud and AI service credentials from compromised endpoints. CISA added CVE-2026-48558 to its Known Exploited Vulnerabilities catalog, setting a 2 July 2026 remediation deadline for federal systems.
The structural risk here is what security teams call an MSP supply chain attack. A single MSP typically manages infrastructure for dozens or hundreds of downstream client organisations. Compromising the MSP’s SimpleHelp instance does not just expose the MSP itself; it hands the attacker administrative access to every client endpoint the MSP manages through that instance, in one step. This is the same category of risk that made prior RMM and IT management software compromises so damaging: the blast radius is measured in clients, not servers.
Remediation
SimpleHelp 5.5.15 and earlier, along with all 6.0 pre-release builds, are affected. The vendor has shipped fixes in version 5.5.16 and 6.0 RC2. Organisations that cannot patch immediately should disable OIDC authentication under Administration, Login Security, as an interim mitigation, since the vulnerability only applies when OIDC is configured with group-authenticated logins enabled.
Organisations that use an MSP for IT support, rather than running SimpleHelp themselves, are not exempt from this risk. It is worth asking any MSP directly whether their remote support tooling was affected and what remediation steps they have already completed, since the exposure sits upstream of anything the client organisation can directly control.
If your organisation relies on third-party MSPs or runs its own RMM tooling and needs a review of the access controls and authentication configuration around it, contact Excello Digital. We help European organisations assess the supply chain risk sitting inside the tools their support providers use every day.
