CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 16, 2026

Nearly 14,000 SimpleHelp Servers Exposed Amid Critical Authentication Bypass Disclosure

Cybersecurity News Archived Jun 16, 2026 ✓ Full text saved

Nearly 14,000 internet-facing SimpleHelp servers are exposed following the disclosure of a critical authentication bypass vulnerability tracked as CVE-2026-48558. The flaw raises serious concerns for enterprises using the remote monitoring and management (RMM) platform. Horizon3.ai identified the vulnerability through its autonomous research initiative “Sua Sponte,” which leverages AI-driven analysis to uncover exploitable flaws. The issue […] The post Nearly 14,000 SimpleHelp Servers Exposed Am

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Nearly 14,000 SimpleHelp Servers Exposed Amid Critical Authentication Bypass Disclosure By Abinaya June 16, 2026 Nearly 14,000 internet-facing SimpleHelp servers are exposed following the disclosure of a critical authentication bypass vulnerability tracked as CVE-2026-48558. The flaw raises serious concerns for enterprises using the remote monitoring and management (RMM) platform. Horizon3.ai identified the vulnerability through its autonomous research initiative “Sua Sponte,” which leverages AI-driven analysis to uncover exploitable flaws. The issue affects SimpleHelp deployments configured with OpenID Connect (OIDC) authentication, including integrations with Azure Active Directory. CVE-2026-48558 is caused by improper validation of identity provider assertions during the OIDC authentication process. This flaw allows unauthenticated attackers to create a new “Technician” account and log in without valid credentials. SimpleHelp Servers Exposed by Auth Bypass Once inside, the attacker gains elevated privileges, as technician accounts can access managed endpoints, execute scripts, and perform administrative actions. Even environments protected by multi-factor authentication are not immune. The vulnerability enables attackers to bypass MFA by registering their own authentication method during the first login, effectively nullifying this security layer. Indicators of Compromise ( source : horizon3.ai) The issue becomes exploitable in environments where OIDC authentication is enabled, a TechnicianGroup is linked to the OIDC provider, and group-authenticated logins are permitted. These settings are commonly found in enterprise deployments, increasing the likelihood of exploitation in real-world scenarios. To detect potential compromise, administrators should carefully review technician accounts within the SimpleHelp interface, specifically checking for unfamiliar names or email addresses. Server logs should also be analyzed for suspicious activity, such as unauthorized technician registrations or unexpected configuration changes. Log files stored on the host system, including those in the /opt/SimpleHelp/logs/ directory, may provide additional evidence of malicious activity. The scale of exposure has grown significantly over the past year. Horizon3.ai reports that the number of publicly accessible SimpleHelp servers has increased from around 3,400 in early 2025 to nearly 14,000 as of June 2026. Further analysis suggests that approximately 7.2% of these systems are configured in a way that makes them vulnerable to this authentication bypass. Given SimpleHelp’s role in remote access and endpoint management, successful exploitation could allow attackers to move laterally across networks and compromise critical systems. Organizations are strongly advised to apply the latest security updates released by SimpleHelp to remediate the vulnerability. SimpleHelp offers optional settings to enhance Technician login security( source : horizon3.ai) In cases where immediate patching is not possible, administrators should implement temporary controls, such as restricting technician login access based on IP address in the platform’s security settings. The vulnerability was discovered on May 21, 2026, reported to the vendor the following day, and publicly disclosed on June 12, 2026. A patch was released on June 9, before the public advisory. This disclosure underscores the ongoing risks associated with widely deployed RMM tools. It highlights the importance of securing authentication mechanisms, particularly when integrating with enterprise identity providers. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Google Sues Chinese Cybercrime Network for Using Gemini AI to Launch Cyberattacks CISA Requires Federal Agencies to Patch Critical Vulnerabilities Within 3 Days Ivanti Endpoint Manager Mobile Vulnerability Enables Remote Code Execution Attacks Threat Actors Abuse ChatGPT, Claude, and DeepSeek Brands as Phishing Lures to Steal Credentials PromptSnatcher Ad Blocker Extensions Steal AI Chats From ChatGPT, Claude, and Gemini Latest News Cyber Security News DPAPISnoop Tool Extracts CREDHIST Hashes for Offline Windows Credential Recovery Cyber Security News SHADOWBYT3$ Allegedly Claim Breach of Nintendo, Stealing Sensitive Data AI Anthropic Updated Privacy Policy to Include Identity Verification for Claude Users Cyber Security News Critical Microsoft 365 Copilot Vulnerability Allows Attackers to Steal Data in One Click Cyber Security News Hackers Use Microsoft Graph Reconnaissance to Target Payroll and HR Employees
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 16, 2026
    Archived
    Jun 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗