Patch SimpleHelp OIDC before CISA's July 2 KEV deadline

Confirmed: CISA added CVE-2026-48558 to the Known Exploited Vulnerabilities catalog on June 29, 2026. The issue affects SimpleHelp deployments using OIDC authentication and can let an unauthenticated attacker obtain a technician session in vulnerable configurations.

Caption: Horizon3.ai's source image for the SimpleHelp CVE-2026-48558 disclosure. Source: Horizon3.ai.

What changed

CISA's KEV catalog now lists CVE-2026-48558 as a SimpleHelp authentication bypass vulnerability with a required action due date of July 2, 2026. The catalog entry says identity tokens submitted during OIDC login are accepted without cryptographic signature verification.

Horizon3.ai disclosed the issue on June 12 and described the risky configuration: OIDC enabled, a technician group associated with that OIDC provider, and group-authenticated logins enabled. In that setup, a remote attacker can create or authenticate as a technician account.

Why this is early

The security disclosure is not new; Horizon3.ai published it on June 12. The new signal is CISA's June 29 KEV addition, which raises priority because KEV entries are based on evidence of active exploitation.

There is still useful uncertainty. CISA marks known ransomware campaign use as unknown, and public reporting varies on how much exploitation has been observed. That does not lower the patch priority for exposed remote-support infrastructure.

Key takeaways

• CISA added CVE-2026-48558 to KEV on June 29, 2026.
• The due date in CISA's feed is July 2, 2026.
• The flaw affects SimpleHelp OIDC authentication in vulnerable configurations.
• Successful exploitation can produce a technician session and may bypass MFA in some setups.
• Defenders should patch, review technician accounts, and inspect server logs.

Availability and access

This is not a feature rollout. The action is defensive: update SimpleHelp according to vendor guidance and verify whether OIDC technician login is enabled.

NVD lists SimpleHelp 5.5.15 and prior as affected, along with 6.0 pre-release versions before 6.0 RC2. Horizon3.ai points administrators to the latest SimpleHelp update and suggests IP restrictions for technician authentication if immediate patching is delayed.

Practical LinkLoot angle

Remote-support tools sit close to endpoints, scripts, and administrator workflows. Treat the KEV entry as a trigger for asset inventory, not only patching. If SimpleHelp is used by an MSP, confirm whether client instances share the same identity-provider setup and whether technician account creation is centrally audited.

For teams building automation around security checks, LinkLoot's AI workflow automation guide is useful for turning this into a repeatable vendor-risk checklist.

What to verify before you act

• Confirm the exact SimpleHelp version and whether it is below the fixed branch.
• Check whether technician login uses OIDC and whether group-authenticated logins are enabled.
• Review technician accounts for unfamiliar names or email addresses.
• Inspect SimpleHelp server logs for unexpected technician login and configuration-save events.
• Confirm whether the instance is internet-exposed or reachable through an MSP management path.

Source check

Confirmed by: CISA's KEV JSON feed confirms the June 29 addition, vulnerability description, required action language, July 2 due date, and CWE-347 classification.

Confirmed by context: Horizon3.ai provides disclosure detail, affected configuration notes, IOC checks, and mitigation guidance. NVD corroborates affected versions, CVSS data, references, and the core OIDC signature-verification issue.

Early signal / context: Horizon3.ai's exposure sampling and client-observation details are useful context, but the publish decision is based on CISA KEV plus CVE/NVD corroboration.