CISA has added CVE‑2026‑48558 to its Known Exploited Vulnerabilities (KEV) catalogue. The affected vendor is SimpleHelp and the product is SimpleHelp; the vulnerability is named the SimpleHelp Authentication Bypass Vulnerability. In one sentence, the flaw allows a remote, unauthenticated attacker to submit a forged OpenID Connect identity token that is accepted without signature verification, granting a fully authenticated technician session and, in some configurations, bypassing multi‑factor authentication.
The vulnerability is an authentication bypass in the OIDC authentication flow. When OIDC is enabled, identity tokens presented during login are not checked for cryptographic validity, enabling an attacker to inject arbitrary claims and obtain privileged access. The CVSS score is 10.0, rated CRITICAL, and a patch is available from the vendor.
Active exploitation has been confirmed, which is the basis for the KEV entry; there is no publicly known link to ransomware campaigns at this time. CISA has set a remediation deadline of 2026‑07‑02 for federal civilian executive branch agencies.
CISA requires that organisations immediately and thoroughly apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26‑04 Prioritizing Security Updates Based on Risk guidance and CISA’s “Forensics Triage Requirements”. Follow applicable BOD 26‑04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders must evaluate each asset's internet exposure and adhere to BOD 26‑04 patching guidelines. While the directive binds FCEB agencies, all organisations should review their SimpleHelp deployments for exposure.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-48558 and the CISA KEV catalogue.