NewsCloud & DevOpsSecurity

SimpleHelp CVE-2026-48558: MSP Supply Chain Under Attack

Server rack with warning indicators representing SimpleHelp CVE-2026-48558 authentication bypass vulnerability targeting MSP supply chains
SimpleHelp CVE-2026-48558: CVSS 10.0 authentication bypass actively exploited in MSP environments

A CVSS 10.0 authentication bypass in SimpleHelp RMM is being actively exploited to plant credential-stealing malware across managed service provider environments. Attackers need no credentials — they forge an OpenID Connect token, walk in as a Technician, and push malware to every endpoint that MSP touches. CISA added it to the Known Exploited Vulnerabilities catalog on June 29. The patch shipped in early June. If you run SimpleHelp — or if your managed service provider does — the window to act without incident response overhead closed a week ago.

The Flaw That Requires No Skill to Exploit

CVE-2026-48558 sits in SimpleHelp’s OpenID Connect authentication handler. When OIDC is configured with group-authenticated logins, SimpleHelp accepts identity tokens without verifying their cryptographic signatures. An attacker who can reach the server’s callback endpoint submits a forged token, gets a fully authenticated Technician session, and has administrative access to the entire server — no credentials, no vulnerability chaining, no user interaction required.

Horizon3.ai described it as “immediately exploitable given public OIDC callback documentation.” CVSS 10.0. CWE-347. The exploit is essentially filling in a web form with a forged value that the server never checks.

Affected versions: SimpleHelp 5.5.0 through 5.5.15 and 6.0 pre-release builds.
Fixed versions: 5.5.16 and 6.0 RC2, both released June 9, 2026.

Why Attacking an MSP’s RMM Tool Is Much Worse Than Attacking the MSP

SimpleHelp is the nerve center for MSP operations. A single SimpleHelp server manages thousands of client endpoints — it can push software, execute commands, and transfer files across every machine under that MSP’s umbrella. Compromise the server, and you inherit the entire customer tree with full administrative rights.

This is the Kaseya VSA playbook from 2021: attack the tooling layer, not individual companies. One server, thousands of victims. Internet scans at the time of disclosure found approximately 14,000 SimpleHelp servers exposed to the public internet. About 7.2% use OIDC — meaning roughly 1,000 servers were directly exploitable the moment this dropped.

The smaller profile of SimpleHelp compared to NinjaOne or ConnectWise is a liability, not an asset. Defenders invest less in monitoring tools they consider fringe. Attackers disagree.

Djinn Stealer Is Built for Developer Machines

The second-stage payload deployed through this campaign, Djinn Stealer, is not a generic infostealer. It is cross-platform (Windows, macOS, Linux) and specifically engineered to strip developer and infrastructure environments in a single pass.

Djinn Stealer targets cloud credentials across AWS, Azure, GCP, Cloudflare, Vercel, Supabase, DigitalOcean, and HashiCorp Vault. It pulls package registry authentication tokens from npm, PyPI, NuGet, and Composer — credentials that can be used to publish malicious packages to public registries without touching the compromised server again. It also collects MCP server configuration files, AI coding assistant authentication tokens, SSH keys, Git configurations, browser sessions, and cryptocurrency wallet files.

A stolen npm publish token does not expire when you patch the RMM server. That credential persists independently, giving attackers re-entry through trusted services — and a path to software supply chain compromise that has nothing to do with SimpleHelp anymore.

How TaskWeaver Gets In and Stays In

TaskWeaver is the loader that drops Djinn Stealer. It arrives disguised as jquery.js and executes through node.exe — legitimate-looking processes that blend into developer environments. It establishes AES-256-GCM encrypted command-and-control channels over Cloudflare Tunnel infrastructure, making network-level detection harder. The loader is modular, allowing attackers to swap payloads dynamically after initial access.

Confirmed C2 traffic to 96.126.130[.]126:58942 is the clearest network-level indicator to hunt for. Full IOC lists, including hashes and behavioral indicators, are published by Horizon3.ai.

What to Do Right Now

If you run SimpleHelp:

  • Upgrade to 5.5.16 or 6.0 RC2 immediately
  • If patching will take time: disable OIDC authentication under Administration → Login Security
  • Restrict SimpleHelp web access to trusted IP ranges via firewall or VPN
  • Audit your Technician account list for entries you did not create

If you may have been compromised:

  • Rotate all cloud provider credentials, package registry tokens, SSH keys, and AI tool authentication tokens on every managed endpoint
  • Hunt for TaskWeaver: node.exe running jquery.js, connections to Cloudflare Tunnel or dev-tunnels domains, network traffic to the confirmed C2 address
  • Check npm, PyPI, and NuGet publish logs for unauthorized package releases
  • Review MCP configuration files across managed machines for tampering
  • Pull full IOC lists from Arctic Wolf and Blackpoint Cyber’s published advisories

The supply chain attack through trusted tooling is not a new pattern. What is new is that the credential theft now specifically targets AI coding infrastructure — the keys that connect developers to their models, their repos, and their deployed agents. Those credentials are worth more to an attacker than a compromised workstation ever was.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News