🔴 Critical  |  Source: The Hacker News


Attackers are actively exploiting CVE-2026-48558, a critical authentication bypass flaw (CVSS 10.0) in SimpleHelp remote support software, to deploy two newly discovered malware families: TaskWeaver and Djinn Stealer. The vulnerability resides in the OpenID Connect flow and requires no authentication to exploit, making it trivially accessible to threat actors. This is particularly concerning given SimpleHelp’s widespread use in managed service provider environments, where a single compromised instance can cascade across many downstream clients.

Security Architect’s Take: If SimpleHelp is deployed anywhere in your environment or supply chain, patch immediately to the vendor’s remediated version and review authentication logs for anomalous OIDC requests. Additionally, audit third-party remote support tooling access paths and consider isolating SimpleHelp instances behind a VPN or zero-trust gateway to reduce exposure of the OIDC endpoint to unauthenticated traffic.

Original advisory: Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer