## Overview
CISA added CVE-2026-48558 to its Known Exploited Vulnerabilities (KEV) list on June 29, 2026. This vulnerability affects SimpleHelp versions 5.5.15 and earlier, as well as pre-release versions of 6.0. The addition to the KEV list indicates a federal deadline for remediation due to evidence of active exploitation.
## Technical Details
The vulnerability lies in the OpenID Connect (OIDC) authentication flow. When OIDC is configured, the system accepts identity tokens during login without verifying their cryptographic signature. This flaw allows a remote, unauthenticated attacker to submit a forged token. The attacker can craft arbitrary identity claims, gaining access to a fully authenticated technician session. In some setups, this vulnerability may also bypass multi-factor authentication, increasing the risk.
## Impact
The impact of CVE-2026-48558 is severe, with a CVSS score of 9.5. Successful exploitation can lead to unauthorized access, allowing attackers to perform actions as if they were legitimate users. This could compromise sensitive data and disrupt operations. The lack of required user interaction further amplifies the risk, making it easier for attackers to exploit this vulnerability.
## Mitigation
Defenders should immediately update to the latest version of SimpleHelp to mitigate this vulnerability. SimpleHelp has released patches addressing the flaw. Organizations should also review their OIDC configurations to ensure proper validation of identity tokens. Regular security assessments and monitoring for unusual login attempts can help detect potential exploitation.
CSURFACE Threat Sensor