Critical SimpleHelp Vulnerability Exploited for Malware Delivery

Critical SimpleHelp Vulnerability Exploited for Malware Delivery
A critical authentication bypass in SimpleHelp RMM, tracked as CVE-2026-48558, has been exploited to gain fully authenticated technician sessions and deliver malware through internet-facing servers. Blackpoint observed attackers deploying TaskWeaver and Djinn Stealer to fingerprint systems and steal developer secrets, while CISA added the flaw to its KEV catalog and urged rapid patching. #SimpleHelp #CVE-2026-48558 #TaskWeaver #DjinnStealer #CISA

Keypoints

  • CVE-2026-48558 affects SimpleHelp’s OpenID Connect authentication flow.
  • The flaw lets attackers forge tokens and obtain authenticated technician sessions.
  • Compromised servers can be used to transfer files and execute commands on managed systems.
  • Attackers used TaskWeaver to fingerprint systems and run JavaScript payloads.
  • Djinn Stealer targeted developer secrets, cloud credentials, SSH keys, and AI tool credentials.

Read More: https://www.securityweek.com/critical-simplehelp-vulnerability-exploited-for-malware-delivery/