SimpleHelp CVSS 10 Auth Bypass Hits CISA KEV After Malware Surge

CISA added CVE-2026-48558 to its Known Exploited Vulnerabilities catalog on June 29, giving federal agencies until July 2 to patch a perfect-10 CVSS vulnerability in SimpleHelp RMM software. The flaw lets unauthenticated attackers forge OIDC tokens and create fully privileged technician accounts—bypassing MFA in the process. Attackers are already using it to deploy two malware families: TaskWeaver and Djinn Stealer.

This isn't SimpleHelp's first time in CISA's catalog. We covered previous SimpleHelp exploitation by DragonForce back in January, when CVE-2024-57727 was being used to compromise utility billing providers. That vulnerability chain gave attackers a path from unauthenticated access to full system compromise. CVE-2026-48558 is arguably worse—it's a single-step bypass with a higher severity score.

How the Attack Works

SimpleHelp supports OpenID Connect (OIDC) authentication, allowing organizations to federate login through identity providers like Azure AD. The vulnerability exists because SimpleHelp's OIDC implementation doesn't verify cryptographic signatures on identity tokens.

An attacker can submit a forged token with arbitrary identity claims during the login flow. SimpleHelp accepts it, creates a new technician account based on those claims, and grants access. The attacker now has a fully authenticated session with all technician privileges—remote endpoint access, script execution, file transfer.

The MFA bypass is particularly nasty. New technicians can self-register their own MFA methods on first login. So even if the organization requires multi-factor authentication, the attacker simply enrolls their own authenticator and passes the check.

Horizon3.ai published detailed IOCs documenting the attack patterns they've observed in the wild.

TaskWeaver: Node.js Loader via Dev-Tunnels

Researchers at BlackPoint Cyber's Adversary Pursuit Group documented the malware deployment chain in their June 29 report. Once attackers establish their technician session, they deploy TaskWeaver—a heavily obfuscated Node.js loader.

TaskWeaver arrives as jquery.js and runs through a legitimate node.exe process. It fingerprints the target system, establishes encrypted communications with attacker-controlled infrastructure at a.dev-tunnels[.]com, and retrieves additional JavaScript payloads. The Node.js runtime provides elevated access for subsequent stages.

The use of developer tunneling services for C2 mirrors tactics we've seen in other recent campaigns, including the BlueKit phishing kit's browser-in-the-middle attacks.

Djinn Stealer: Cross-Platform Credential Harvester

The final payload is Djinn Stealer, a multi-platform information stealer targeting Windows, macOS, and Linux. Its collection scope is aggressive:

• Browsers: Credentials from Chromium-based and Firefox browsers
• Password managers and authenticators: Local credential stores
• Cryptocurrency wallets: Seed phrases and wallet files
• Development tools: Git credentials, GitHub CLI tokens, SSH keys
• Cloud platforms: AWS, Azure, Google Cloud credentials and configurations
• AI assistants: API keys and local configuration
• Desktop apps: VS Code global storage, Dropbox, Google Drive, OneDrive, iCloud metadata

The cross-platform capability means attackers can deploy the same payload regardless of what endpoints the compromised SimpleHelp instance manages.

Indicators of Compromise

Horizon3.ai's disclosure includes key network indicators:

• C2 Server: 96.126.130[.]126:58942
• Communication Domain: a.dev-tunnels[.]com

Organizations should search for these IOCs in network logs and consider blocking the associated infrastructure at the firewall level.

Remediation

SimpleHelp released patches addressing CVE-2026-48558. Organizations running SimpleHelp with OIDC or Azure AD authentication should:

1. Apply patches immediately: Don't wait for the July 2 federal deadline
2. Audit technician accounts: Look for recently created accounts that don't map to legitimate users
3. Review MFA enrollments: Check for unexpected authenticator registrations
4. Hunt for IOCs: Search logs for connections to the documented C2 infrastructure
5. Consider network segmentation: Limit which endpoints SimpleHelp can reach until patching is complete

For organizations that have already been compromised, credential rotation across all managed endpoints should be assumed necessary.

The RMM Risk Pattern

Remote monitoring and management tools remain high-value targets. A single compromised RMM instance gives attackers legitimate channels into every endpoint that instance manages. SimpleHelp, ConnectWise ScreenConnect, Ivanti EPM, and other RMM platforms have all faced critical vulnerabilities in recent months.

Organizations using any RMM platform should maintain rigorous patching schedules and consider network-level controls that limit RMM access to necessary endpoints only. The alternative is supply chain compromise at scale—which is exactly what CVE-2026-48558 enables.