THE US Cybersecurity and Infrastructure Security Agency has added CVE-2026-48558 to its Known Exploited Vulnerabilities catalogue after confirming that a remote unauthenticated attacker can bypass authentication in SimpleHelp by presenting a forged OpenID Connect identity token CISA advisory.
The flaw resides in the OIDC login flow where identity tokens are accepted without cryptographic signature verification allowing an attacker to inject arbitrary claims and obtain a fully authenticated technician session which in some configurations also bypasses multi‑factor authentication CVE record.
SimpleHelp remote management software is affected when the OIDC authentication method is enabled and the vulnerability carries a CVSS score of 10.0 reflecting its critical impact SimpleHelp security update.
Threat actors have already weaponised the issue as demonstrated by the Djinn infostealer malware which uses the flaw to gain administrative access and exfiltrate cloud and AI credentials a technique highlighted in a DarkReading report DarkReading article.
Defenders should apply the security update published by SimpleHelp disable OIDC if it is not required and review authentication logs for tokens that lack valid signatures as well as enforce network segmentation to limit exposure of management interfaces securityonline info.