Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: simplehelp (4 articles)Clear

Djinn stealer harvests cloud and AI credentials through SimpleHelp RMM flaw

A new information stealer called Djinn is being used to grab cloud and AI service credentials, Dark Reading reports. Attackers deliver it by exploiting CVE-2026-48558, a critical authentication-bypass flaw in the SimpleHelp remote-management tool, then use Djinn to target the credentials that link developer and administrator environments to broader enterprise systems. The focus on cloud and AI secrets reflects where valuable access now lives: API keys and tokens for cloud platforms and AI services can unlock far more than a single machine. Organizations that run SimpleHelp, especially unpatched instances, are the immediate exposure point for this credential theft.

Check
Confirm SimpleHelp servers are patched against CVE-2026-48558, and review developer and admin systems for credential theft and any unexpected use of cloud or AI service API keys and tokens.
Affected
Organizations running SimpleHelp remote-management software vulnerable to CVE-2026-48558; Djinn specifically hunts the cloud and AI service credentials that bridge developer and admin environments to wider enterprise systems.
Fix
Patch SimpleHelp immediately, rotate cloud and AI service credentials that may have been exposed, enforce least privilege and short-lived tokens, and monitor for unusual API key usage.

SimpleHelp flaw lets unauthenticated attackers create rogue admin technicians

A critical flaw in SimpleHelp, a remote support and management tool used by IT teams and managed service providers, lets an unauthenticated attacker create a privileged technician account and skip multi-factor authentication. The bug (CVE-2026-48558) only affects servers configured to use OpenID Connect (OIDC) single sign-on, including Azure AD, and stems from how the server validates identity assertions from the login provider. A rogue technician can then remote into managed machines and run scripts, giving attackers a foothold across every connected endpoint. Researchers found roughly 14,000 SimpleHelp servers exposed online, with about 7 percent using the vulnerable OIDC setup. The flaw affects versions 5.5.15 and earlier.

Check
Determine whether your SimpleHelp servers use OIDC single sign-on (generic or Azure AD) and are running 5.5.15 or earlier, then review the technician account list for unfamiliar or recently created accounts.
Affected
SimpleHelp servers version 5.5.15 and earlier and 6.0 pre-release builds configured for OpenID Connect authentication (CVE-2026-48558), especially those exposed to the internet with group-authenticated logins allowed.
Fix
Update SimpleHelp to the latest patched release immediately. Until then, restrict server access to trusted networks and remove any unrecognized technician accounts found during review.

Phishing campaign hit 80+ companies by getting employees to install legitimate remote-access software disguised as a Social Security letter

Securonix tracked a phishing campaign called VENOMOUS#HELPER that has hit 80+ organizations (mostly in the US) since April 2025 by getting employees to install legitimate remote-monitoring software they think is a Social Security Administration document. The lure is a fake SSA email asking the recipient to download their statement; the link points to a compromised Mexican business website hosting a SimpleHelp installer. Once installed, the attackers gain SYSTEM-level access, then quietly install ConnectWise ScreenConnect as a backup channel. The pattern aligns with initial-access broker activity: quiet persistence, then sale or hand-off to ransomware operators.

Check
Hunt every Windows endpoint for SimpleHelp and ConnectWise ScreenConnect installs not authorized by IT. Search proxy logs for connections to gruta.com.mx since April 2025.
Affected
Windows endpoints in organizations without strict application allowlisting. 80+ confirmed victims, mostly US, across multiple sectors. Acute risk: companies whose staff regularly receive government correspondence (SSA, IRS, state tax) where 'verify and download' lures feel routine. Initial access brokers run these campaigns to sell footholds, so any compromised host becomes a potential ransomware launchpad weeks later.
Fix
Enforce application allowlisting on Windows endpoints to block unapproved RMM software. Remove unauthorized SimpleHelp, ScreenConnect, PDQ Connect, LogMeIn Resolve, N-able, or Fleetdeck installs and treat the host as compromised. Block Securonix's published indicators (gruta.com.mx, server.cubatiendaalimentos.com.mx) at the network egress layer. Rotate credentials on affected hosts.

CISA adds four more flaws to KEV - SimpleHelp authorization bypass (CVSS 9.9), Samsung MagicINFO, and the D-Link DIR-823X bug already powering fresh Mirai botnets

CISA added four flaws to KEV on April 24 with a May 8 federal deadline. The headline is CVE-2024-57726 (CVSS 9.9), a missing authorization in SimpleHelp RMM that lets a low-privileged technician mint API keys above their role and escalate to server admin; companion CVE-2024-57728 (CVSS 7.2) chains a path traversal for RCE. SimpleHelp featured in DragonForce and Akira ransomware campaigns last year. CVE-2024-7399 (CVSS 8.8) is a Samsung MagicINFO 9 path traversal with a public PoC since 2024. The fourth, CVE-2025-29635, is the D-Link DIR-823X bug we covered last week.

Check
Inventory exposed instances of SimpleHelp, Samsung MagicINFO 9 Server, and any remaining D-Link DIR-823X routers. SimpleHelp is the priority - it sits inside the IT trust boundary.
Affected
SimpleHelp before 5.5.8 against CVE-2024-57726 and CVE-2024-57728 (chained to RCE as the SimpleHelp server user). Samsung MagicINFO 9 Server unpatched against CVE-2024-7399. D-Link DIR-823X firmware 240126 and 24082 against CVE-2025-29635 - the product line is discontinued and no vendor patch exists.
Fix
Upgrade SimpleHelp to 5.5.8+ and rotate every API key issued by every technician account, since unprivileged techs could have minted privileged keys during the vulnerable window. Audit SimpleHelp session logs for anomalies. Patch Samsung MagicINFO and remove its internet exposure. For D-Link DIR-823X, replace the hardware - there is no fix. Treat May 8 as your own deadline.