Skip to main content

SimpleHelp RMM Authentication Bypass Under Active Exploitation Delivering TaskWeaver and Djinn Stealer (CVE-2026-48558)

Scope: SimpleHelp Remote Monitoring and Management (RMM) Versions 5.5.15 and Earlier, and 6.0 Pre-Release Versions

Severity: Red

CISA added CVE-2026-48558 (CVSS 10.0) to its Known Exploited Vulnerabilities catalog on June 29, 2026, after Blackpoint Cyber's Adversary Pursuit Group confirmed active exploitation in which attackers forged unsigned OIDC identity tokens to bypass authentication entirely, create rogue Technician accounts with administrative privileges, and abuse SimpleHelp's own trusted file transfer and remote execution features to mass-deploy TaskWeaver (a heavily obfuscated Node.js loader disguised as jquery.js) and Djinn Stealer across all endpoints managed by the compromised RMM server. The attack is particularly dangerous for Managed Service Providers and IT departments managing multiple organizations, as a single compromised SimpleHelp instance provides silent administrative access to every client endpoint under management, with Djinn Stealer specifically targeting cloud credentials, SSH keys, cryptocurrency wallets, source code tokens, and AI coding assistant credentials that provide persistent re-entry even after the RMM server is isolated. Organizations must immediately upgrade to the patched SimpleHelp release issued June 5, 2026, and where patching cannot happen immediately, disable OIDC authentication via Administration, rotate all credentials accessible from managed endpoints, audit Technician accounts for unauthorized additions, and check all managed systems for TaskWeaver indicators of compromise.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.