SimpleHelp SimpleHelp CVE-2026-48558: actively exploited vulnerability added to CISA KEV

Confirmed
Discovered Jun 29, 2026

CISA added CVE-2026-48558 affecting SimpleHelp SimpleHelp to the Known Exploited Vulnerabilities catalog on 2026-06-29. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.

2
Affected Packages
2
Observables
5
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
simple-help-simplehelp, simple-help-simplehelp
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
SimpleHelp
CVE-2026-48558

Analysis

Executive Summary

CISA added CVE-2026-48558 for SimpleHelp SimpleHelp to the Known Exploited Vulnerabilities catalog on 2026-06-29, which is the active-exploitation gate for this Halting Problems entry [1]. NVD describes the issue as: SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. No user interaction is required. [2].

This entry is intentionally evidence-conservative. The public sources reviewed for this automated refresh provide active-exploitation status, product identity, and vulnerability metadata, but they do not publish attacker-controlled infrastructure, file hashes, victim counts, or a campaign name. Source and advisory URLs are therefore kept as source selectors rather than IOC values.

Key Facts

CVE: CVE-2026-48558

Vendor: SimpleHelp

Product: SimpleHelp

KEV Added: 2026-06-29

KEV Due Date: 2026-07-02

Affected / Fixed Version Selectors:

  • simple-help-simplehelp@<5.5.16
  • simple-help-simplehelp@6.0

CVSS: 10.0 CRITICAL

Evidence Assessment

Analysis table
ClaimStatusEvidence
CISA lists CVE-2026-48558 as exploited in the wild for SimpleHelp SimpleHelp.confirmedCISA KEV entry for CVE-2026-48558 names SimpleHelp and SimpleHelp and records date added 2026-06-29 [1].
NVD has a CVE record describing the vulnerable product behavior.confirmedNVD record for CVE-2026-48558 includes the description quoted above and version metadata where available [2].
Public sources identify attacker infrastructure, hashes, or campaign attribution.not_observedCISA KEV, NVD, and linked references reviewed during this run do not publish those IOC classes.

Impact Determination

Treat internet-exposed or identity-integrated SimpleHelp systems as high-priority until version and mitigation evidence are captured. Affected systems require product log review, host-level timeline preservation, and a post-fix scan. If exploitation succeeded, defenders should decide whether sessions, API keys, service credentials, or product-managed secrets could have been accessed or abused from the compromised host.

Detection and Hunting

The reviewed hunt manifest ships with scripts/scope_simplehelp-cve-2026-48558-kev.py. It scans asset inventories and exported logs for CVE-2026-48558, SimpleHelp, SimpleHelp, and affected-version selectors. Use it against CMDB exports, scanner exports, EDR file/log bundles, web server logs, and product-specific logs collected in a forensics-safe workspace.

Positive findings are scope signals, not proof of compromise. Escalate to product-specific IR by preserving UTC timelines, snapshots or hashes of relevant configs and logs, evidence owner, collection time, and chain-of-custody notes.

Remediation and Recovery Gates

  1. Confirm whether each SimpleHelp instance is affected by matching deployed version evidence against vendor/NVD ranges.
  2. Apply the vendor fixed release or documented mitigation, then capture before/after version proof.
  3. Run a post-fix scan and keep the result with the incident record.
  4. Review product logs and host telemetry for exploit success, persistence, new users, changed configuration, suspicious scheduled tasks, web shells, or unexpected outbound access.
  5. Make a credential/session rotation decision based on whether exploitation reached secrets, sessions, SSO/OIDC material, API keys, or product-managed credentials.
  6. Monitor for recurrence after recovery.

Indicators of Compromise

No attacker-controlled domains, URLs, hashes, or IP addresses were published by the sources reviewed for this entry. Machine-readable IOC fields are intentionally empty for those classes.

Open Questions

  • Which exploitation clusters are using CVE-2026-48558 in the wild?
  • Are there reliable product-specific log signatures beyond version and exposure scoping?
  • Did vendor or researcher sources publish additional affected/fixed-version detail after this automated refresh?

Sources

Timeline

6 of 6 rows

Timeline
DateEventDescriptionSource
Jun 29, 2026DiscoveryDiscovery recorded for SimpleHelp SimpleHelp CVE-2026-48558 actively exploited vulnerability.cisa.gov
Jul 2, 2026kev due datekev due date recorded for SimpleHelp SimpleHelp CVE-2026-48558 actively exploited vulnerability.cisa.gov
Invalid DateDisclosureDisclosure recorded for SimpleHelp SimpleHelp CVE-2026-48558 actively exploited vulnerability.cisa.gov
Jun 29, 2026First seenFirst seen recorded for SimpleHelp SimpleHelp CVE-2026-48558 actively exploited vulnerability.cisa.gov
Invalid DatePatch or fixPatch or fix recorded for SimpleHelp SimpleHelp CVE-2026-48558 actively exploited vulnerability.cisa.gov
Jun 29, 2026SimpleHelp SimpleHelp CVE-2026-48558: actively exploited vulnerability added to CISA KEVUnknowncisa.gov

Affected Software

2 of 2 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
simple-help-simplehelpenterprise-software< 5.5.16Malicious90%cisa.gov; horizon3.ai; simple-help.com; nvd.nist.gov; blackpointcyber.com
simple-help-simplehelpenterprise-software6.0Malicious90%cisa.gov; horizon3.ai; simple-help.com; nvd.nist.gov; blackpointcyber.com

IOC Clipboard

2 IOCs
commandSimpleHelp
commandCVE-2026-48558

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
CVE-2026-48558 asset and telemetry scopePythonDo asset inventories or exported telemetry contain CVE-2026-48558, SimpleHelp, SimpleHelp, or affected-version selectors?scripts/scope_simplehelp-cve-2026-48558-kev.py opens in a new tabcisa.gov

Hunt Manifest: CVE-2026-48558 asset and telemetry scope

Title
CVE-2026-48558 asset and telemetry scope
Question
Do asset inventories or exported telemetry contain CVE-2026-48558, SimpleHelp, SimpleHelp, or affected-version selectors?
Telemetry Family
Python
Repository
scripts/scope_simplehelp-cve-2026-48558-kev.py
Show tested hunting scriptscripts/scope_simplehelp-cve-2026-48558-kev.py
scripts/scope_simplehelp-cve-2026-48558-kev.py opens in a new tabPython
#!/usr/bin/env python3
"""Scope CVE-2026-48558 exposure from asset inventories and exported product logs.

Input: a directory containing CSV, JSON, JSONL, TXT, LOG, YAML, or XML exports.
The script does not contact the network. It looks for the CVE, vendor/product
selectors, and affected-version selectors recorded in the Halting Problems profile.
"""
from __future__ import annotations
import csv, json, os, sys
from pathlib import Path

CVE_ID = "CVE-2026-48558"
VENDOR = "SimpleHelp"
PRODUCT = "SimpleHelp"
AFFECTED_VERSION_SELECTORS = [
  "simple-help-simplehelp < 5.5.16",
  "simple-help-simplehelp@6.0"
]
SOURCE_SELECTORS = [
  "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
  "https://nvd.nist.gov/vuln/detail/CVE-2026-48558",
  "https://horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs/",
  "https://simple-help.com/release-news",
  "https://simple-help.com/security/simplehelp-security-update-2026-05",
  "https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/",
  "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48558"
]
DOMAINS = []
HASHES = []
URLS = []
FILES = []
PROCESS_PATTERNS = [PRODUCT, VENDOR, CVE_ID]
NETWORK_PATTERNS = []
INDICATORS = [
  "CVE-2026-48558",
  "SimpleHelp",
  "SimpleHelp",
  "simple-help-simplehelp < 5.5.16",
  "simple-help-simplehelp@6.0",
  "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
  "https://nvd.nist.gov/vuln/detail/CVE-2026-48558",
  "https://horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs/",
  "https://simple-help.com/release-news",
  "https://simple-help.com/security/simplehelp-security-update-2026-05",
  "https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/",
  "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48558"
]
OUT = os.environ.get("OUT", "hp-simplehelp-cve-2026-48558-kev-scope")
TEXT_SUFFIXES = {'.csv','.json','.jsonl','.txt','.log','.yaml','.yml','.xml','.conf','.ini','.md'}
EXCLUDED_DIR_NAMES = {'.git','node_modules','vendor','dist','__pycache__','.venv'}

def read_text(path: Path) -> str:
    try:
        return path.read_text(encoding='utf-8', errors='ignore')
    except Exception:
        return ''

def iter_files(root: Path):
    if root.is_file():
        yield root; return
    for p in root.rglob('*'):
        if p.is_file() and not any(part in EXCLUDED_DIR_NAMES for part in p.parts):
            if not p.suffix or p.suffix.lower() in TEXT_SUFFIXES:
                yield p

def scan(root: Path):
    matches=[]
    lowered=[s.lower() for s in INDICATORS if s]
    for path in iter_files(root):
        text=read_text(path)
        low=text.lower()
        hits=sorted({INDICATORS[i] for i,s in enumerate(lowered) if s in low})
        if hits:
            matches.append({'path': str(path), 'hits': hits})
    return matches

def main(argv=None):
    argv=argv or sys.argv[1:]
    root=Path(argv[0]) if argv else Path('.')
    matches=scan(root)
    out_dir=Path(OUT); out_dir.mkdir(parents=True, exist_ok=True)
    report={'cve': CVE_ID, 'vendor': VENDOR, 'product': PRODUCT, 'affected_version_selectors': AFFECTED_VERSION_SELECTORS, 'match_count': len(matches), 'matches': matches}
    (out_dir/'scope_report.json').write_text(json.dumps(report, indent=2), encoding='utf-8')
    print(json.dumps({'cve': CVE_ID, 'match_count': len(matches), 'report': str(out_dir/'scope_report.json')}, indent=2))
    return 2 if matches else 0
if __name__ == '__main__':
    raise SystemExit(main())

Provenance & Sources

5 of 5 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
cisa.govSecurity Researcher95%2CISA added CVE-2026-48558 affecting SimpleHelp SimpleHelp to the Known Exploited Vulnerabilities catalog on 2026-06-29. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
horizon3.aiSecurity Researcher95%1CISA added CVE-2026-48558 affecting SimpleHelp SimpleHelp to the Known Exploited Vulnerabilities catalog on 2026-06-29. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
simple-help.comSecurity Researcher95%2CISA added CVE-2026-48558 affecting SimpleHelp SimpleHelp to the Known Exploited Vulnerabilities catalog on 2026-06-29. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
nvd.nist.govSecurity Researcher95%1CISA added CVE-2026-48558 affecting SimpleHelp SimpleHelp to the Known Exploited Vulnerabilities catalog on 2026-06-29. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
blackpointcyber.comSecurity Researcher95%1CISA added CVE-2026-48558 affecting SimpleHelp SimpleHelp to the Known Exploited Vulnerabilities catalog on 2026-06-29. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.