Critical Auth-Bypass in SimpleHelp (CVE-2026-48558, CVSS 10): Attackers Can Take Over Every Managed PC — Now in CISA KEV, Update to 5.5.16
SimpleHelp remote-support software has a critical auth-bypass flaw (CVE-2026-48558, CVSS 10): attackers forge a login to create an admin technician and take over every managed PC. Now in CISA KEV — update to 5.5.16.
Table of contents
SimpleHelp remote-support software has a critical auth-bypass flaw (CVE-2026-48558, CVSS 10): attackers forge a login to create an admin technician and take over every managed PC. Now in CISA KEV — update to 5.5.16.
An extremely serious vulnerability has been found in "SimpleHelp," software that IT staff use to remotely operate employees' and customers' PCs for maintenance and support. An attacker can bypass login to create an admin-level account on their own and remotely take over every PC that SimpleHelp manages. The identifier is CVE-2026-48558, with the maximum severity of CVSS 10.0 out of 10. The U.S. agency CISA has added this flaw to its catalog of vulnerabilities known to be exploited in actual attacks (KEV).
Because one server of this kind of remote-support software can control hundreds of endpoints at once, a compromised server spreads damage rapidly and broadly. Especially if a managed service provider (MSP) that handles IT support uses it, the endpoints of their downstream customer companies can be dragged in too. SimpleHelp has a past history of vulnerabilities being abused in ransomware attacks, so this is a case to act on quickly, as security media abroad have also reported. The security firm Horizon3.ai, which found the flaw, and the vendor SimpleHelp have each published information.
| Item | Details |
|---|---|
| CVE | CVE-2026-48558 |
| Target | SimpleHelp (remote-support software) |
| Type | Authentication bypass (login impersonation) |
| What happens | Rogue admin-level account creation → remote takeover of managed PCs |
| Severity (CVSS) | 10.0 (NVD / CVSS v3.1 — maximum) |
| Affected / Fixed | 5.5.15 and earlier, 6.0 pre-release / 5.5.16, 6.0 RC2 (5.6.9 also fixed) |
| Exploitation | Listed in CISA KEV (exploited) |
*KEV is the U.S. CISA list of vulnerabilities confirmed to be "used in actual attacks." You can also track the latest via our CISA KEV dashboard (Japanese).
Who is at risk, and what is the damage
This hole is hunted by attackers (including ransomware gangs) who scan for companies' internet-exposed remote-support servers and use them as a foothold to widen their intrusion (ransomware gangs included). SimpleHelp servers are often placed facing the internet so that external technicians can connect from anywhere, which makes them an ideal entry point for attackers. Public scans found roughly 14,000 SimpleHelp servers exposed on the internet at the time.
The attacker sends forged login information that looks genuine and creates an admin-level "technician" account on their own. With this method, they even slip past multi-factor authentication (which adds a phone confirmation on top of a password). Once they have the account, the attacker uses SimpleHelp's legitimate features to remotely connect to managed PCs and run any program (script) they like.
The essence of the damage is that taking over the "managing" server puts every endpoint beneath it at risk at once. Employees' PCs, customer-site endpoints, and the information stored on them become targets, leading directly to ransomware deployment (encrypting data and demanding a ransom) or exfiltration of confidential data. If an IT support provider is hit, the damage cascades to multiple customer companies. In fact, SimpleHelp also had other vulnerabilities abused by several ransomware groups in 2025, and the trend of remote-management software being targeted as an intrusion path continues. It is not unrelated to the situation in Japan, where ransomware damage has been hitting manufacturers one after another.
What SimpleHelp is, and whether your server is affected
SimpleHelp is remote-support software that IT staff and support providers use to connect to employees' and customers' PCs in remote locations to operate the screen, transfer files, run commands, and more. Used at help desks and in maintenance work, it is a tool for "remotely operating the other party's PC," in the same category as TeamViewer or AnyDesk. Organizations stand up their own SimpleHelp server and connect endpoints to it for centralized management.
What is important is that not every SimpleHelp server is a target of this attack. According to the discoverer, exploitation requires all three of the following conditions:
| Precondition for exploitation | Details |
|---|---|
| (1) External login link | At least one OIDC provider (login with an external ID) is configured |
| (2) Group association | A TechnicianGroup is associated with that provider |
| (3) Group auth allowed | "Allow group authenticated logins" is enabled |
In other words, servers that do not use external-ID login (OIDC integration) are not subject to this particular attack. But rather than spending time confirming whether the conditions apply, the surest move is to simply update to the fixed version. You can check your version in the admin console; 5.5.15 and earlier are affected.
How the login is bypassed
SimpleHelp supports "OIDC," a mechanism for logging in with an external identity provider (such as a Google or Microsoft account). In OIDC, a digital ticket (a token) proving that a login occurred is exchanged, and that ticket carries information on "who, with what privileges" plus a digital signature to prevent tampering. The recipient must always verify this signature to confirm it is genuine, issued by a legitimate identity provider.
This flaw lies in the fact that SimpleHelp did not properly verify that signature (classified as "improper verification of a cryptographic signature," CWE-347). As a result, an attacker could impersonate a legitimate technician simply by sending a forged ticket with the contents rewritten to suit themselves. Because a newly created technician account was designed to register its own multi-factor authentication on first login, the attacker could set up that confirmation freely too — nullifying the multi-factor protection. The discoverer Horizon3.ai has published the technical details and ways to check your server.
Timeline
| When | Event |
|---|---|
| May 21, 2026 | Horizon3.ai discovers and validates the flaw |
| May 22, 2026 | Reported to SimpleHelp |
| June 9, 2026 | Fixed versions (5.5.16, 6.0 RC2) released |
| June 12, 2026 | Details publicly disclosed |
| Late June 2026 | U.S. CISA adds it to KEV (exploited list) |
What to do now
The top priority is updating to the fixed version. If you use the stable line, move to 5.5.16 or later; on newer lines, move to 5.6.9 or 6.0 RC2 or later. If your SimpleHelp server is exposed to the internet, act especially fast, and until the update is done, consider interim measures such as restricting the connection sources to your internal network or specific sites (access control).
Because exploitation is already confirmed, checking for intrusion matters as much as updating. The discoverer recommends checking "Administration → Technicians" in the admin console for any unfamiliar technician names or email addresses that have been added. Also, look in the server logs for a technician-registration record like "Registering technician login for (suspicious email) / (Technicians)." If you find an account or log you do not recognize, proceed with investigation and response on the assumption that you have already been compromised.
Summary
CVE-2026-48558 is an authentication bypass flaw in the remote-support software SimpleHelp. Exploiting weak signature verification, an attacker can create an admin-level account without logging in, slip past multi-factor authentication, and remotely take over managed PCs. The U.S. CISA has confirmed exploitation, and the severity is at the maximum. Update the stable line to 5.5.16 or later and, at the same time, check for any suspicious technician accounts.
Software on the "managing" side affects everything beneath it once it is breached. The more convenient a remote-management tool is, the more a review of its exposure and a fast update become the dividing line for preventing damage.
FAQ
I use SimpleHelp — am I necessarily at risk?
Exploitation requires three conditions to line up: external-ID login (OIDC integration) configured, a technician group associated, and group authentication enabled. Servers without this setup are not subject to this particular attack. But rather than spend time confirming, the surest move is to update to a fixed version such as 5.5.16 or later first.
Which version should I upgrade to?
It is fixed in 5.5.16 or later on the stable line, and in 5.6.9 or 6.0 RC2 or later on newer lines. Affected are 5.5.15 and earlier, plus the 6.0 pre-release.
How do I check whether I've already been breached?
In the admin console, open "Administration → Technicians" and check whether any unfamiliar technician accounts (names, email addresses) have been added. Suspicious technician-registration records in the server logs are also a clue. If you find anything you don't recognize, proceed on the assumption that you have been compromised.
Is it already being exploited?
The U.S. CISA has added this flaw to its list of vulnerabilities used in actual attacks (KEV). SimpleHelp also had other vulnerabilities abused in ransomware attacks in 2025, and remote-management software is continually targeted as an intrusion path. Prompt updating and inspection are needed.
Update history
- ▸June 30, 2026: First published (based on Horizon3.ai's disclosure, SimpleHelp's security information, and the addition to CISA KEV).
References
Makoto Horikawa
Backend Engineer / AWS / Django