In a significant security revelation, researchers at Horizon3.ai have uncovered a critical vulnerability in the SimpleHelp remote management software. This flaw, tracked as CVE-2026-48558enables unauthenticated attackers to create privileged technician accounts on servers using the OpenID Connect (OIDC) authentication protocol. The vulnerability affects versions 5.5.15 and older, as well as 6.0 pre-release versions, and has been assigned a critical severity rating.
The issue stems From how identity assertions received from an OIDC identity provider (IdP) are validated. When OIDC authentication is enabled, an attacker can create and log in as a new Technician user without needing to go through the multi-factor authentication (MFA) process. This Technician, by default, can perform privileged management activities such as remoting into managed endpoints, executing scripts, and more.
The Scope and Impact of CVE-2026-48558
The vulnerability does not impact every SimpleHelp server running a vulnerable version; rather, it affects a subset that relies on the OIDC protocol, whether the generic one or Azure AD OIDC, both common in large enterprises. For the exploit to work, several prerequisites must be met: OIDC authentication must be enabled, at least one Technician Group must be associated with the OIDC provider, and the group must have “Allow group authenticated logins” enabled.
Results from Shodan show about 14,000 SimpleHelp servers exposed to the public internet. Analysis of a random sample suggests that roughly 7.2% are configured to use OIDC authentication. Additionally, Horizon3.ai found that the “Allow group authenticated logins” is enabled in many cases. Organizations can defend against attacks by updating to the latest SimpleHelp releases that address the issue or by restricting technician login sources using IP-based allowlists.
Indicators of Compromise and Mitigation
The researchers have shared indicators of compromise that can help detect active exploitation, such as new authenticated technician users with unknown or suspicious names and/or email addresses. Additionally, the logs in ‘/opt/SimpleHelp/logs/server.log’ and ‘/opt/SimpleHelp/logs/
SimpleHelp fixed the vulnerability on June 9 by releasing versions 5.5.16 and 6.0RC2 of the product. Neither SimpleHelp nor Horizon3.ai has reported evidence of active exploitation. However, given the product’s history of attracting significant threat actor interest, organizations are advised to apply the available fixes or mitigations without delay.
The Discovery and Disclosure Process
At Horizon3.ai, researchers have been experimenting with generative AI to enhance vulnerability research. Early in 2026, inspired by DARPA’s AIxCC, they ventured into creating an autonomous vulnerability research pipeline codenamed “Sua Sponte.” This initiative has identified various vulnerabilities in commercially relevant applications, including authentication bypass and unauthenticated remote code execution.
The discovery of CVE-2026-48558 was made after ingesting SimpleHelp code into their pipeline. The vulnerability affects servers configured to use either version of OIDC and is rooted in the way that SimpleHelp validates the IdP assertions. The exact conditions that make SimpleHelp vulnerable to this technician creation vector include OIDC being enabled, a TechnicianGroup associated with the OIDC provider, and “Allow group authenticated logins” being enabled on the TechnicianGroup.
The disclosure timeline began on May 21, 2026, when the vulnerability was discovered and validated. It was reported to SimpleHelp on May 22, 2026, and further communication ensued until June 1, 2026. On June 9, 2026, SimpleHelp released patches without prior communication to Horizon3.ai. The blog detailing the vulnerability was published on June 12, 2026.
