CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Jun 19, 2026

Nearly 14,000 SimpleHelp Servers Exposed Amid Critical Authentication Bypass Disclosure - CyberSecurityNews

CyberSecurityNews Archived Jun 19, 2026 ✓ Full text saved

Nearly 14,000 SimpleHelp Servers Exposed Amid Critical Authentication Bypass Disclosure CyberSecurityNews

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Nearly 14,000 SimpleHelp Servers Exposed Amid Critical Authentication Bypass Disclosure By Abinaya June 16, 2026 Nearly 14,000 internet-facing SimpleHelp servers are exposed following the disclosure of a critical authentication bypass vulnerability tracked as CVE-2026-48558. The flaw raises serious concerns for enterprises using the remote monitoring and management (RMM) platform. Horizon3.ai identified the vulnerability through its autonomous research initiative “Sua Sponte,” which leverages AI-driven analysis to uncover exploitable flaws. The issue affects SimpleHelp deployments configured with OpenID Connect (OIDC) authentication, including integrations with Azure Active Directory. CVE-2026-48558 is caused by improper validation of identity provider assertions during the OIDC authentication process. This flaw allows unauthenticated attackers to create a new “Technician” account and log in without valid credentials. SimpleHelp Servers Exposed by Auth Bypass Once inside, the attacker gains elevated privileges, as technician accounts can access managed endpoints, execute scripts, and perform administrative actions. Even environments protected by multi-factor authentication are not immune. The vulnerability enables attackers to bypass MFA by registering their own authentication method during the first login, effectively nullifying this security layer. Indicators of Compromise ( source : horizon3.ai) The issue becomes exploitable in environments where OIDC authentication is enabled, a TechnicianGroup is linked to the OIDC provider, and group-authenticated logins are permitted. These settings are commonly found in enterprise deployments, increasing the likelihood of exploitation in real-world scenarios. To detect potential compromise, administrators should carefully review technician accounts within the SimpleHelp interface, specifically checking for unfamiliar names or email addresses. Server logs should also be analyzed for suspicious activity, such as unauthorized technician registrations or unexpected configuration changes. Log files stored on the host system, including those in the /opt/SimpleHelp/logs/ directory, may provide additional evidence of malicious activity. The scale of exposure has grown significantly over the past year. Horizon3.ai reports that the number of publicly accessible SimpleHelp servers has increased from around 3,400 in early 2025 to nearly 14,000 as of June 2026. Further analysis suggests that approximately 7.2% of these systems are configured in a way that makes them vulnerable to this authentication bypass. Given SimpleHelp’s role in remote access and endpoint management, successful exploitation could allow attackers to move laterally across networks and compromise critical systems. Organizations are strongly advised to apply the latest security updates released by SimpleHelp to remediate the vulnerability. SimpleHelp offers optional settings to enhance Technician login security( source : horizon3.ai) In cases where immediate patching is not possible, administrators should implement temporary controls, such as restricting technician login access based on IP address in the platform’s security settings. The vulnerability was discovered on May 21, 2026, reported to the vendor the following day, and publicly disclosed on June 12, 2026. A patch was released on June 9, before the public advisory. This disclosure underscores the ongoing risks associated with widely deployed RMM tools. It highlights the importance of securing authentication mechanisms, particularly when integrating with enterprise identity providers. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News DPAPISnoop Tool Extracts CREDHIST Hashes for Offline Windows Credential Recovery Hackers Weaponize Microsoft Teams Relay to Hide Ransomware Traffic The Half-Life of Threat Intelligence: When Does an IOC Stop Being Useful?  Authorities Dismantle SocGholish Malware Network — 106 Servers and 101 Domains Seized Malicious npm Campaign Steals SSH Keys, API Tokens, Cloud Credentials, and Wallet Secrets Latest News Cyber Security News New iPhone BootROM Vulnerability Exposes Apple SoCs to Full Chain-of-Trust Compromise Cyber Security Hackers Breached Klue Integration to Steal Salesforce CRM Data via OAuth Tokens Cyber Security News Multiple Vulnerabilities in Firefox 152 Enables Remote Code Execution Attacks Cyber Security News Hackers Can Leverage SQL Server 2025 AI Features to Exfiltrate Sensitive Data Cyber Security News Hackers Abuse Microsoft Fondue.exe to Side-Load APPWIZ.cpl and Execute Malware
    💬 Team Notes
    Article Info
    Source
    CyberSecurityNews
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Jun 19, 2026
    Archived
    Jun 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗