What happened
SimpleHelp contains an authentication bypass vulnerability in its OIDC authentication flow (CWE-347: Improper Verification of Cryptographic Signature). When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. A remote unauthenticated attacker can forge or replay an OIDC token for any user account — including administrators — gaining full access without valid credentials. CISA added this to the KEV catalog on 2026-06-29 with a federal agency remediation deadline of 2026-07-02.
Why it matters
SimpleHelp is an RMM (remote monitoring and management) platform used by 6,000+ companies in 70+ countries. RMM tools are high-value targets for ransomware actors and APTs because they provide persistent privileged access to managed endpoints at scale. While not AI-native, SimpleHelp is increasingly integrated into agentic IT automation workflows and AI-driven SOC tooling as a remote-execution backend. An auth bypass gives attackers the same agent-level access to all managed endpoints.
Attack vector
Remote unauthenticated attacker submits a crafted or replayed OIDC identity token to the SimpleHelp login endpoint; the server accepts it without signature verification, granting full administrative access.
Affected systems
SimpleHelp (versions addressed in 2026-05 security update)
Mitigation
Apply SimpleHelp 2026-05 security update immediately. Federal agencies must remediate by 2026-07-02 per CISA BOD 26-04. Advisory: https://simple-help.com/security/simplehelp-security-update-2026-05