CVE-2026-48558 is a critical vulnerability in SimpleHelp remote management software that permits unauthenticated attackers to create and log in as privileged Technician users on servers using OIDC authentication. The root cause is improper validation of identity assertions from OIDC identity providers. Exploitation requires OIDC authentication enabled, at least one Technician Group linked to the OIDC provider, and the group having 'Allow group authenticated logins' enabled. Successful exploitation allows attackers to perform privileged management tasks such as remote access and script execution without multi-factor authentication. The vulnerability affects SimpleHelp versions 5.5.15 and earlier, and 6.0 pre-release versions. The vendor released patched versions 5.5.16 and 6.0RC2 on June 9, 2026.

Attackers can create rogue privileged technician accounts without authentication or multi-factor authentication, enabling them to remotely manage endpoints, execute scripts, and perform other privileged actions. This compromises the confidentiality, integrity, and availability of managed systems. The vulnerability affects only SimpleHelp servers configured to use OIDC authentication with specific group settings. Approximately 7.2% of publicly exposed SimpleHelp servers may be vulnerable based on configuration estimates. No active exploitation has been reported so far.

SimpleHelp has released official patches in versions 5.5.16 and 6.0RC2 that fix this vulnerability. Organizations should update to these versions immediately. If updating is not feasible, restricting technician login sources via IP-based allowlists can mitigate risk. Monitoring for suspicious new technician accounts and reviewing server logs for unauthorized registrations and configuration changes can help detect exploitation attempts.