Critical SimpleHelp Vulnerability Exploited for Malware Delivery
Critical SimpleHelp RMM vulnerability (CVE-2026-48558) exploited for malware delivery.
Summary
A critical authentication bypass vulnerability in SimpleHelp RMM software, CVE-2026-48558, is being actively exploited to deliver malware. Attackers can gain full technician sessions by submitting forged OIDC tokens, enabling them to transfer files and execute commands. The exploited vulnerability has been added to CISA's KEV catalog, urging immediate patching.
Full text
A recent authentication bypass vulnerability in the SimpleHelp remote monitoring and management (RMM) software has been exploited for malware delivery. Tracked as CVE-2026-48558 (CVSS score of 10), the bug impacts SimpleHelp’s OpenID Connect (OIDC) authentication flow and allows a remote attacker to obtain a fully authenticated technician session. The issue exists because, when OIDC authentication is configured, the application does not verify the cryptographic signature of identity tokens, allowing an unauthenticated attacker to submit a forged token during login. By accessing an internet-facing SimpleHelp server, an attacker can transfer files and execute commands on all systems managed through the server. In an attack observed by Blackpoint, a threat actor abused this access to deploy two malware families: TaskWeaver, a Node.js loader, and Djinn Stealer, a cross-platform information stealer. TaskWeaver was used to perform system fingerprinting and to deploy a JavaScript payload that was executed with full Node.js access. The loader has a simple structure and can be used to deploy any encrypted payload, Blackpoint says.Advertisement. Scroll to continue reading. Djinn was specifically designed to steal secrets from developer machines, including cloud credentials, SSH keys, infrastructure configurations, source control tokens, package registry authentication, development tooling, cryptocurrency wallets, and all browser data. “Most notably, it takes the credentials for AI development tools, giving an attacker a foothold to tamper with the very pipelines teams are building on,” Blackpoint notes. The security defect was addressed in late May in SimpleHelp versions 5.5.16 and 6.0 RC2. Organizations are advised to update their deployments and to check application logs for unfamiliar technician names and email addresses to identify potential compromises. On Monday, following Blackpoint’s report, the US cybersecurity agency CISA added CVE-2026-48558 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within three days, in line with BOD 26-04 guidance. Related: ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access Related: New Controller Flaws Expose Highway Signs and Billboards to Remote Hacking Related: Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories Related: Linux Foundation Unveils New Open Source Security Project Akrites Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root AccessUS Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks EvolveChinese Framework Powers 200,000 Scam SitesMore Klue Breach Victims Identified as Hackers Get HackedNebulock Raises $25 Million for AI-Native Contextual SecurityLinux Foundation Unveils New Open Source Security Project AkritesRussian APT Deploys ‘StockStay’ Backdoor Against Ukrainian TargetsRunlayer Raises $30 Million in Series A Funding Latest News The AI Token Costs That Can Break CybersecurityNissan Employee Data Breached in Oracle PeopleSoft HackQuantifind Raises $200 Million for AI-Native Risk IntelligenceNew Controller Flaws Expose Highway Signs and Billboards to Remote HackingWhatsApp Rolling Out Username Feature to Bolster Phone Number PrivacyResearchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer MachinesStraiker Raises $64 Million for AI Security PlatformInsurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveTracey Mustacchio has joined Everfox as Chief Marketing Officer.Mark Carter has been appointed Chief Information Security Officer at Socure.Spektrum Labs has named Mark Cravotta Chief Operating Officer.More People On The MoveExpert Insights The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- cve — CVE-2026-48558