Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

[KEV] CVE-2026-48558 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-48558 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-48558 is an authentication bypass vulnerability in SimpleHelp's OIDC authentication flow, affecting the SimpleHelp remote support platform developed by SimpleHelp Ltd.

Technical Detail

The flaw exists in how SimpleHelp processes OpenID Connect identity tokens during login: the application accepts submitted tokens without verifying their cryptographic signatures, meaning an attacker can forge arbitrary token contents. A remote, unauthenticated attacker can craft a token containing identity claims for any user and submit it to the login endpoint to obtain a fully authenticated technician session. In configurations where MFA is enforced through the OIDC flow, this bypass may also circumvent multi-factor authentication controls entirely, as the forged token can satisfy identity assertions that would normally trigger MFA validation.

Exploitation Status

CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities catalog on June 29, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliable, real-world use exists and is being actively leveraged against targets. This is not a theoretical or proof-of-concept risk; exploitation requires no authentication and no user interaction, lowering the barrier for widespread abuse.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this vulnerability in available intelligence. Given that SimpleHelp is widely deployed in managed service provider environments, opportunistic and targeted actors with interest in MSP infrastructure should be considered a plausible threat profile, though this is not confirmed attribution.

What To Do

Per CISA's Known Exploited Vulnerabilities binding directive (BOD 22-01), federal civilian executive branch agencies are required to apply mitigations or patch by the deadline associated with the June 29, 2026 KEV listing. All organizations running SimpleHelp with OIDC authentication configured should treat this as an emergency priority patch. Until a patch is applied, organizations should consider disabling OIDC authentication and reverting to local authentication as a temporary workaround if operationally feasible. Detection focus should be placed on reviewing technician session creation logs for sessions originating from unexpected IP addresses or at unusual times, particularly those authenticated via OIDC. Review audit logs for any unauthorized technician account activity or privilege changes that may indicate post-exploitation actions. Contact SimpleHelp directly to confirm the patched version applicable to your deployment and apply it immediately.

All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →