A recent authentication bypass vulnerability in the SimpleHelp remote monitoring and management (RMM) software has been exploited for malware delivery.
Tracked as CVE-2026-48558 (CVSS score of 10), the bug impacts SimpleHelp’s OpenID Connect (OIDC) authentication flow and allows a remote attacker to obtain a fully authenticated technician session.
The issue exists because, when OIDC authentication is configured, the application does not verify the cryptographic signature of identity tokens, allowing an unauthenticated attacker to submit a forged token during login.
By accessing an internet-facing SimpleHelp server, an attacker can transfer files and execute commands on all systems managed through the server.
In an attack observed by Blackpoint, a threat actor abused this access to deploy two malware families: TaskWeaver, a Node.js loader, and Djinn Stealer, a cross-platform information stealer.
TaskWeaver was used to perform system fingerprinting and to deploy a JavaScript payload that was executed with full Node.js access. The loader has a simple structure and can be used to deploy any encrypted payload, Blackpoint says.
Djinn was specifically designed to steal secrets from developer machines, including cloud credentials, SSH keys, infrastructure configurations, source control tokens, package registry authentication, development tooling, cryptocurrency wallets, and all browser data.
“Most notably, it takes the credentials for AI development tools, giving an attacker a foothold to tamper with the very pipelines teams are building on,” Blackpoint notes.
The security defect was addressed in late May in SimpleHelp versions 5.5.16 and 6.0 RC2. Organizations are advised to update their deployments and to check application logs for unfamiliar technician names and email addresses to identify potential compromises.
On Monday, following Blackpoint’s report, the US cybersecurity agency CISA added CVE-2026-48558 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within three days, in line with BOD 26-04 guidance.
Related: ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access
Related: New Controller Flaws Expose Highway Signs and Billboards to Remote Hacking
Related: Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories
Related: Linux Foundation Unveils New Open Source Security Project Akrites
