CVE-2026-48558
CRITICAL · 10.0 EPSS 0.6%Real vuln, high CVSS, patches available, heavy chatter; no KEV, no PoC, no confirmed exploitation yet; mostly alert amplification.
What: Authentication bypass in SimpleHelp remote support versions ≤5.5.15 and 6.0 pre-release when OIDC is enabled; attacker can forge identity tokens to seize admin sessions and bypass MFA. CVSS 10.0 CRITICAL.
Why it matters: Published 4 days ago with zero EPSS percentile, no KEV listing yet. Chatter shows FOFA identified 106K+ exposed instances; vendors have issued patches (5.5.16, 6.0RC2). No public PoC or in-the-wild exploitation confirmed in posts, but remote, unauthenticated, no-interaction attack surface is severe for managed service providers and enterprises using OIDC.
Where it's seen: Infosec Twitter/Bluesky circulation of NVD description, FOFA database alerts, vulnerability aggregators. Tone emphasizes criticality and patch availability rather than exploit tooling or active abuse.
RISK: CRITICAL — Unauthenticated remote auth bypass affecting remote support tools; 106K+ exposed instances; zero MFA where configured.
Description
SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. No user interaction is required.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- High