SimpleHelp OIDC Auth Bypass Past CISA Deadline: Patch Now
SimpleHelp Server 5.5.15 and earlier accept forged OIDC tokens as valid technician sessions. CVSS 10.0, KEV, patch is 5.5.16 — CISA deadline was July 2.
The federal deadline was 2026-07-02. If you run SimpleHelp Server 5.5.15 or any 6.0 pre-release build with OIDC login turned on, that deadline is now a week behind you and the fix is a point release away. Upgrade to 5.5.16 today. Everything else in this article is context for the report you’re going to have to write about why you didn’t.
CVE-2026-48558 is a 10.0. CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-29 — three days after Horizon3.ai published the disclosure and IoCs. The mechanic is the least excusable class of authentication bug there is: the OIDC login path accepts identity tokens without verifying their cryptographic signature. Forge a token, put whatever claims you want in it, and the server hands you back a technician session. In deployments where MFA is enforced on the local login only, the OIDC path bypasses that too, because there’s no MFA challenge on the code that never validated the token in the first place.
Technician access is what matters here. SimpleHelp Server is on-prem remote-support tooling — the whole point of a valid technician login is that it can reach every endpoint enrolled with the server. That’s the same access model that made BeyondTrust’s auth-bypass disclosure a critical last week and it’s the same reason ransomware crews keep coming back to this class of product.
The honest timeline
- 2026-05-27 — SimpleHelp publishes the security update and 5.5.16 lands in release news.
- 2026-06-12 — the CVE record is published to NVD.
- 2026-06-26 — Horizon3.ai publishes technical write-up and IoCs.
- 2026-06-29 — CISA adds it to KEV with a 2026-07-02 federal patch deadline.
- Later — Blackpoint Cyber ties post-exploitation activity to a Node.js intrusion chain crossing SimpleHelp servers in the wild.
Five weeks from vendor patch to KEV. If you’re still on 5.5.15 as of this writing, this isn’t a scheduling problem — that’s a patch-management problem you need to fix in addition to this specific CVE. Put it in the same postmortem folder as the Adobe ColdFusion Friday deadline and the Langflow addition to KEV this week. Different products, same story.
What to actually do
Patch this first, deprioritize almost everything else on your queue this week.
- Upgrade the SimpleHelp Server to 5.5.16 or later. There is no supported mitigation short of the patch — the fix restores signature verification on the OIDC login path.
- If you can’t patch this hour, disable OIDC on the server and restrict the management interface to a bastion or VPN allowlist. Local admin login is not affected by this bug. This buys you until the change window, not longer.
- Assume compromise if the server has been internet-reachable with OIDC configured since 2026-05-27. Pull auth logs and compare against Horizon3.ai’s IoCs. Inventory technician sessions created in that window and revoke anything you can’t account for.
- Rotate credentials on endpoints touched by any suspect technician session. That’s the whole footprint — an unaudited technician session against on-prem RMM is the same threat model as a stolen domain-admin cred with lateral tooling already in place.
- File the KEV miss. You’ll want a written record of when you patched and why the July 2 deadline was missed, because the next SimpleHelp CVE (or the next RMM CVE from a different vendor) will find you looking at the same clock.
The compressed part of this — the part that gets people fired instead of just paged — is the assumed-breach step. If the server is patched but nobody looked at the logs, that’s not a closed ticket. That’s a closed ticket that will reopen itself.
Sources
Found this useful? Share it.