SimpleHelp SimpleHelp CVE-2026-48558: KEV exploited vulnerability

Suspected
Discovered Jun 29, 2026

SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. CISA added it to KEV on 2026-06-29, making it an in-scope exploited-vulnerability coverage item.

1
Affected Packages
2
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
simple-help:simplehelp
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
SimpleHelp
CVE-2026-48558

Analysis

Executive Summary

CVE-2026-48558 is tracked here because CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-29 with a remediation due date of 2026-07-02 [1]. The affected product is SimpleHelp SimpleHelp. CISA describes the vulnerability as: SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. [1]

This is not a generic CVE roundup entry. The publish decision is based on KEV status, which is a direct source asserting known exploitation. Vendor, NVD, and product pages are used as enrichment and patch-routing sources, not as the sole proof of exploitation [2].

Key Facts

CVE: CVE-2026-48558

Vendor: SimpleHelp

Product: SimpleHelp

Vulnerability name: SimpleHelp Authentication Bypass Vulnerability

CISA KEV added: 2026-06-29

CISA remediation due date: 2026-07-02

Known ransomware campaign use: Unknown

CWE: CWE-347

Evidence Assessment

  • confirmed: CISA KEV lists CVE-2026-48558 for SimpleHelp SimpleHelp and states this class of entry is a known exploited vulnerability [1].
  • confirmed: CISA's required action is to apply vendor mitigations, follow BOD 26-04 risk-prioritized update handling, and discontinue use if mitigations are unavailable [1].
  • confirmed: CISA's notes point defenders to the vendor/product advisory or product page and NVD enrichment for CVE-2026-48558 [2].
  • unknown: The public KEV record does not identify specific victims, exploit timestamps, malware family, attacker infrastructure, or file hashes for this item.
  • confirmed: Affected/fixed version guidance: affected SimpleHelp 5.5.15 and earlier, plus 6.0 pre-release versions; fixed/remediated SimpleHelp 5.5.16 for v5.5.x users and SimpleHelp 6.0 RC2 for v6.0 pre-release users. Evidence: SimpleHelp 2026-05 security update and NVD CPE configuration..

Affected and Fixed Versions

  • Package/product coordinate: simple-help:simplehelp
  • Affected: SimpleHelp 5.5.15 and earlier, plus 6.0 pre-release versions
  • Fixed/remediated: SimpleHelp 5.5.16 for v5.5.x users and SimpleHelp 6.0 RC2 for v6.0 pre-release users
  • Version evidence: SimpleHelp 2026-05 security update and NVD CPE configuration.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceRequired actionClosure condition
Confirmed affectedSimpleHelp SimpleHelp asset is present in scope and version/fix state matches SimpleHelp 5.5.15 and earlier, plus 6.0 pre-release versions.Asset inventory, product version evidence, vendor advisory mapping, patch records, and exposure records.Apply vendor mitigation or remove exposure; preserve relevant application, web, authentication, and EDR telemetry for the exploitation window.Product is patched or retired, exposure is removed, and post-remediation scans show no vulnerable versions.
Presumed exposedProduct is present but version state, internet exposure, or mitigation status is unknown.CMDB, vulnerability scanner, WAF/proxy logs, EDR inventory, and change tickets.Treat as at-risk until version and mitigation status are proven.Inventory and patch evidence are complete.
Not observedNo asset, package, appliance, or service record references SimpleHelp SimpleHelp or CVE-2026-48558.Current asset inventory and vulnerability scan coverage.Keep monitoring KEV and vendor advisories.Coverage timestamp and query scope are archived.

Timeline

  • 2026-06-29: CISA adds CVE-2026-48558 to KEV and sets a remediation due date of 2026-07-02 [1].
  • 2026-06-29: This local refresh creates a conservative Halting Problems research folder and defensive scope scanner for simplehelp-simplehelp-cve-2026-48558-kev.

Remediation Guidance

For SimpleHelp SimpleHelp, remediation should be tied to the vendor source listed by CISA, not a generic patch checklist. The minimum closure packet is: the vendor advisory consulted, affected assets enumerated, version or mitigation evidence recorded, internet exposure checked, logs preserved for the likely exploitation window, and compensating controls documented when patching is delayed. CISA's KEV due date of 2026-07-02 should drive urgency [1].

Open Questions

  • Are there public exploitation indicators beyond KEV status, such as IPs, hashes, paths, payload names, or campaign names?
  • Which local assets expose SimpleHelp SimpleHelp to untrusted networks?
  • Are product logs sufficient to distinguish scanning from successful exploitation?

IOC and Source-Selector Handling

No incident-specific attacker infrastructure, hashes, payload paths, victim list, or campaign attribution is currently published for CVE-2026-48558 in the reviewed public sources. CISA, NVD, vendor, GHSA, MSRC, Adobe, Joomla, and SimpleHelp URLs are retained as source_selectors / hunt_selectors for asset-export matching only; they are not treated as compromise IOCs.

Evidence sources to preserve

  • SimpleHelp server logs
  • OIDC identity-provider sign-in and token logs
  • remote support session records
  • reverse proxy logs
  • endpoint EDR telemetry for technician/customer hosts

Product-specific hunts

  • Review OIDC authentication bypass signs such as unexpected users, sessions without expected IdP flow, or token anomalies.
  • Audit remote-support sessions, technician actions, file transfer, command execution, and customer host access during the exposure window.
  • Correlate SimpleHelp server events with IdP logs and downstream endpoint activity for unauthorized remote access.

Containment actions

  • Restrict SimpleHelp exposure and disable affected OIDC integrations until updated to 5.5.16 or 6.0 RC2+ as applicable.
  • Revoke active SimpleHelp sessions and rotate OIDC client secrets if unauthorized access is suspected.
  • Snapshot SimpleHelp server state, IdP logs, and session history before cleanup.

Evidence Handling Requirements

  • Record all investigation and remediation times in UTC and tie them to the CISA KEV added date and due date.
  • Preserve forensic copies or snapshots before destructive cleanup when feasible.
  • Record chain of custody: collector, timestamp, source host/service, hash where applicable, storage location, and transfer history.
  • Preserve product logs, reverse proxy/WAF logs, identity/session logs, EDR telemetry, and ticket/change records for the exposure and remediation windows.
  • Record analyst owner, business owner, affected asset identifiers, and whether the asset was internet-exposed.

Strengthened Remediation and Closure Gates

  • Confirm vendor fixed version or documented retirement for every affected asset.
  • Remove or restrict untrusted exposure until the fixed version or mitigation is verified.
  • Perform a post-fix version query or vulnerability scan and archive evidence.
  • Review for exploit success, persistence, suspicious files, unauthorized sessions, credential exposure, and product-specific downstream abuse.
  • Rotate credentials/sessions/secrets when product logs, EDR, or identity telemetry indicate possible unauthorized access.
  • Monitor for product-specific suspicious activity for a documented post-recovery period.

Sources

Timeline

5 of 5 rows

Timeline
DateEventDescriptionSource
Jun 29, 2026First seenFirst seen recorded for SimpleHelp SimpleHelp CVE-2026-48558: KEV exploited vulnerability.cisa.gov
Jun 29, 2026DiscoveryDiscovery recorded for SimpleHelp SimpleHelp CVE-2026-48558: KEV exploited vulnerability.cisa.gov
Jun 29, 2026DisclosureDisclosure recorded for SimpleHelp SimpleHelp CVE-2026-48558: KEV exploited vulnerability.cisa.gov
Invalid DatePatch or fixPatch or fix recorded for SimpleHelp SimpleHelp CVE-2026-48558: KEV exploited vulnerability.cisa.gov
Jun 29, 2026SimpleHelp SimpleHelp CVE-2026-48558: KEV exploited vulnerabilityUnknowncisa.gov

Affected Software

1 of 1 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
simple-help:simplehelpenterprise-softwareSimpleHelp 5.5.15 and earlier, plus 6.0 pre-release versions (fixed: SimpleHelp 5.5.16 for v5.5.x users and SimpleHelp 6.0 RC2 for v6.0 pre-release users; evidence: SimpleHelp 2026-05 security update and NVD CPE configuration.)Malicious65%cisa.gov; nvd.nist.gov; simple-help.com

IOC Clipboard

2 IOCs
commandSimpleHelp
commandCVE-2026-48558

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
SimpleHelp SimpleHelp asset, advisory, and telemetry selector scanPythonDo exported records reference CVE-2026-48558 or SimpleHelp SimpleHelp during the KEV remediation window?scripts/simplehelp_simplehelp_cve_2026_48558_kev_scope_scan.py opens in a new tabcisa.gov

Hunt Manifest: SimpleHelp SimpleHelp asset, advisory, and telemetry selector scan

Title
SimpleHelp SimpleHelp asset, advisory, and telemetry selector scan
Question
Do exported records reference CVE-2026-48558 or SimpleHelp SimpleHelp during the KEV remediation window?
Telemetry Family
Python
Repository
scripts/simplehelp_simplehelp_cve_2026_48558_kev_scope_scan.py
Show tested hunting scriptscripts/simplehelp_simplehelp_cve_2026_48558_kev_scope_scan.py
scripts/simplehelp_simplehelp_cve_2026_48558_kev_scope_scan.py opens in a new tabPython
#!/usr/bin/env python3
"""Defensive scope scanner for CVE-2026-48558 (SimpleHelp SimpleHelp).

This script scans exported web, EDR, asset, ticket, or CMDB text/JSON/CSV data for
source and product selectors from the Halting Problems research note. It does not
contact the network and does not execute target artifacts.
"""
from __future__ import annotations

import argparse
import json
import os
from pathlib import Path

CVE_ID = 'CVE-2026-48558'
VENDOR = 'SimpleHelp'
PRODUCT = 'SimpleHelp'
VULNERABILITY_NAME = 'SimpleHelp Authentication Bypass Vulnerability'
SOURCE_DOMAINS = ['www.cisa.gov', 'simple-help.com', 'nvd.nist.gov']
AFFECTED_VERSION_RANGE = 'SimpleHelp 5.5.15 and earlier, plus 6.0 pre-release versions'
FIXED_VERSION = 'SimpleHelp 5.5.16 for v5.5.x users and SimpleHelp 6.0 RC2 for v6.0 pre-release users'
PACKAGE_COORDINATE = 'simple-help:simplehelp'
SOURCE_URLS = ['https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=cve-2026-48558', 'https://simple-help.com/security/simplehelp-security-update-2026-05', 'https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk', 'https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk', 'https://nvd.nist.gov/vuln/detail/CVE-2026-48558']
PRODUCT_MARKERS = ['CVE-2026-48558', 'SimpleHelp', 'SimpleHelp', 'SimpleHelp Authentication Bypass Vulnerability']
OUT_DEFAULT = "hp-simplehelp-simplehelp-cve-2026-48558-kev-scope"
TEXT_EXTENSIONS = {".txt", ".log", ".json", ".jsonl", ".csv", ".tsv", ".yaml", ".yml", ".xml", ".html", ".md"}


def iter_files(root: Path):
    exclude_dirs = {".git", "node_modules", "vendor", "dist", "build", ".venv", "__pycache__"}
    for current, dirs, files in os.walk(root):
        dirs[:] = [d for d in dirs if d not in exclude_dirs]
        for name in files:
            path = Path(current) / name
            if path.suffix.lower() in TEXT_EXTENSIONS or path.stat().st_size < 2_000_000:
                yield path


def read_text(path: Path) -> str:
    try:
        return path.read_text(encoding="utf-8", errors="ignore")
    except OSError:
        return ""


def main() -> int:
    parser = argparse.ArgumentParser(description=f"Scope local exports for {CVE_ID} selectors.")
    parser.add_argument("root", nargs="?", default=".", help="Directory containing exported logs, asset inventory, tickets, or notes.")
    parser.add_argument("--out", default=OUT_DEFAULT, help="Output directory for report.json and matched files list.")
    args = parser.parse_args()

    root = Path(args.root).resolve()
    out = Path(args.out).resolve()
    out.mkdir(parents=True, exist_ok=True)

    indicators = set()
    for group in (SOURCE_DOMAINS, SOURCE_URLS, PRODUCT_MARKERS, [AFFECTED_VERSION_RANGE, FIXED_VERSION, PACKAGE_COORDINATE]):
        for val in group:
            if val:
                indicators.add(str(val))

    hits = []
    for path in iter_files(root):
        text = read_text(path)
        lower = text.lower()
        matched = sorted(ind for ind in indicators if ind.lower() in lower)
        if matched:
            hits.append({"path": str(path.relative_to(root)), "selectors": matched})

    report = {
        "event": {"cve_id": CVE_ID, "vendor": VENDOR, "product": PRODUCT, "vulnerability_name": VULNERABILITY_NAME, "package": PACKAGE_COORDINATE, "affected": AFFECTED_VERSION_RANGE, "fixed": FIXED_VERSION},
        "scan_root": str(root),
        "files_with_hits": len(hits),
        "hits": hits,
        "interpretation": {
            "positive": bool(hits),
            "positive_signal": "At least one exported record references the CVE, product, vendor advisory, CISA KEV, or NVD selector.",
            "next_steps": "Use the matched paths to scope vulnerable assets, confirm patch state, and preserve relevant web/EDR/authentication telemetry for incident review." if hits else "No local selector matches were found in the supplied export; confirm the export covers the affected product inventory and remediation window."
        }
    }
    (out / "report.json").write_text(json.dumps(report, indent=2), encoding="utf-8")
    matched_text = "\n".join(hit["path"] for hit in hits) + ("\n" if hits else "")
    (out / "matched_files.txt").write_text(matched_text, encoding="utf-8")
    print(json.dumps({"cve_id": CVE_ID, "files_with_hits": len(hits), "report": str(out / "report.json")}, indent=2))
    return 1 if False else 0


if __name__ == "__main__":
    raise SystemExit(main())

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
cisa.govSecurity Researcher95%3SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. CISA added it to KEV on 2026-06-29, making it an in-scope exploited-vulnerability coverage item.
nvd.nist.govSecurity Researcher95%1SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. CISA added it to KEV on 2026-06-29, making it an in-scope exploited-vulnerability coverage item.
simple-help.comSecurity Researcher95%1SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. CISA added it to KEV on 2026-06-29, making it an in-scope exploited-vulnerability coverage item.