“Inventory all SimpleHelp instances in your environment right now, identify versions against CVE-2026-48558, and either apply the patch or isolate those systems from the network today.”
CRITICAL: SimpleHelp CVE-2026-48558 (CVSS 10.0) Exploited to Deploy Djinn Stealer via RMM
Attackers are actively exploiting a critical authentication bypass in SimpleHelp (CVE-2026-48558, CVSS 10.0) affecting servers configured with OIDC or Azure AD OIDC authentication, allowing unauthenticated attackers to create a fully privileged Technician session — even bypassing MFA on first login. Confirmed exploitation chains have delivered the TaskWeaver loader and Djinn Stealer, which harvests credentials from cloud, browser, SSH, and crypto wallet tools across Windows, macOS, and Linux. MSPs using SimpleHelp as their RMM must patch to the version specified in the May 2026 security update immediately and audit for unauthorized Technician accounts.
Read more →Subscribers get the full “From the Floor” take with every issue — not just the news summary you just read.
Written from 12 years on the helpdesk floor. Always free.