Attackers Exploit SimpleHelp Authentication Bypass to Deploy TaskWeaver and Djinn Stealer
Unknown threat actor exploits CVE-2026-48558 (CVSS 10.0) in SimpleHelp RMM to deliver two new malware families targeting cloud credentials and developer infrastructure.
Attack Brief
TargetSimpleHelp Remote Monitoring and Management (RMM) softwareVectorOpenID Connect (OIDC) authentication bypass via forged token submission; CVE-2026-48558Attributionunattributed
Technical Details
CVE IDsCVE-2026-48558MITRE ATT&CKT1078T1566.002T1005T1555IoCsa.dev-tunnels[.]comAffectedSimpleHelp servers configured with generic OIDC or Azure AD OIDC authentication; all versions affected by CVE-2026-48558
Impact
Confirmed DamageUnauthenticated attackers can obtain authenticated Technician sessions, bypass MFA on first login, execute arbitrary commands on managed endpoints, and deploy malware to harvest credentials from cloud platforms, source control systems, SSH keys, cryptocurrency wallets, and developer infrastructure across Windows, macOS, and Linux systems.
Context
Similar AttacksCVE-2026-48558 discovered by Horizon3.ai; exploitation chain documented by Blackpoint Cyber researchers Nevan Beal and Sam Decker; vulnerability allows self-registration of MFA methods by newly created Technician accounts, enabling MFA bypass
Source
https://thehackernews.com/2026/06/attackers-exploit-simplehelp-cve-2026.htmlby The Hacker Newson 2026-06-30T00:00:00Z3 sources