← All articles

SimpleHelp flaw lets unauthenticated attackers create rogue admin technicians

A critical flaw in SimpleHelp, a remote support and management tool used by IT teams and managed service providers, lets an unauthenticated attacker create a privileged technician account and skip multi-factor authentication. The bug (CVE-2026-48558) only affects servers configured to use OpenID Connect (OIDC) single sign-on, including Azure AD, and stems from how the server validates identity assertions from the login provider. A rogue technician can then remote into managed machines and run scripts, giving attackers a foothold across every connected endpoint. Researchers found roughly 14,000 SimpleHelp servers exposed online, with about 7 percent using the vulnerable OIDC setup. The flaw affects versions 5.5.15 and earlier.

Check
Determine whether your SimpleHelp servers use OIDC single sign-on (generic or Azure AD) and are running 5.5.15 or earlier, then review the technician account list for unfamiliar or recently created accounts.
Affected
SimpleHelp servers version 5.5.15 and earlier and 6.0 pre-release builds configured for OpenID Connect authentication (CVE-2026-48558), especially those exposed to the internet with group-authenticated logins allowed.
Fix
Update SimpleHelp to the latest patched release immediately. Until then, restrict server access to trusted networks and remove any unrecognized technician accounts found during review.