Share
## https://sploitus.com/exploit?id=4718919B-920F-5EFC-BAC2-307537132DE2
# CVE-2026-48558: SimpleHelp OIDC Authentication Bypass

> [!WARNING]
> **This code is provided AS IS for educational and research purposes only.**
> **Do not use this PoC on production systems, shared environments, or any unauthorized targets.**
> - This exploit demonstrates a critical remote code execution (RCE) vulnerability (CVE-2026-6307) that can fully compromise the Chrome renderer sandbox.
> - Running or hosting this code may trigger antivirus detections, security monitoring alerts, or legal consequences if misused.
> - The authors and repository maintainers assume **no liability** for any damage, misuse, or illegal activity resulting from this code.
> - Use exclusively in isolated lab environments with proper authorization.
> **Intended for defensive research, vulnerability analysis, and blue-team testing only.**

Author: _J4ck3LSyN_

---

## Description
SimpleHelp versions **5.5.15 and prior** and **6.0 pre-release** versions contain a critical authentication bypass vulnerability (CVE-2026-48558) in the OpenID Connect (OIDC) authentication flow.

When OIDC authentication is configured, the server accepts identity tokens (ID Tokens / JWTs) **without verifying their cryptographic signature**. A remote, unauthenticated attacker can forge a token with arbitrary claims (including group memberships) to create and authenticate as a privileged **Technician** user. This can also bypass MFA in affected configurations. No user interaction is required.

- **CVSS**: ~9.8–10.0 (Critical)
- **Impact**: Full technician access → remote control of managed endpoints, script execution, credential access, persistence
- **CISA KEV**: Added June 29, 2026
- **Active Exploitation**: Observed in the wild (e.g., deployment of TaskWeaver loader + Djinn Stealer)

## Technical Details
The root cause is in SimpleHelp’s OIDC token validation logic:

- Failure to enforce JWT signature verification (`alg: none` works; invalid signatures are not rejected).
- Insufficient validation of `iss`, `aud`, `exp`, and other claims in certain flows.
- When a TechnicianGroup is configured with "Allow group authenticated logins", forged tokens granting membership in that group result in a fully authenticated session.
- The attack targets the OIDC callback endpoint (typically `POST /auth/oidc/callback` or similar) by submitting a forged `id_token`.

This allows attackers to impersonate any user and escalate to technician privileges without credentials.

## Indicators of Compromise (IoCs)
- New Technician accounts with suspicious emails/usernames in **Administration → Technicians**
- Login events and configuration changes from unknown sources in server logs
- Logs at: `/opt/SimpleHelp/logs/server.log` (and dated subdirectories)
- Unexpected `jquery.js` / Node.js executions on managed endpoints (post-exploitation)

## Mitigation / Patching
**Patch immediately**:
- **5.5 branch**: Upgrade to **5.5.16**
- **6.0 branch**: Upgrade to **6.0 RC2** or later

Official update: [SimpleHelp Security Update 2026-05](https://simple-help.com/security/simplehelp-security-update-2026-05)

**Temporary workarounds** (until patched):
- Disable OIDC authentication entirely
- Restrict server access via firewall / VPN / IP allowlisting
- Monitor and audit Technician accounts and logs

---

## Proof of Concept
See `poc.py` in this repository.

### Requirements
- Python 3.6+
- `requests`, `PyJWT`

### Setup
```bash
python3 -m venv venv
source venv/bin/activate # (.fish) if your swimming
python3 -m pip install --upgrade pip
python3 -m pip install requests PyJWT
```

### Example Usage
```bash
python3 poc.py -u https://target.example.com \
  -i https://accounts.google.com \
  -a "your-configured-client-id" \
  -s attacker-sub \
  -e attacker@evil.com \
  -n "Evil Technician" \
  -g "Technicians,Admins"
```

Full parameter documentation is in the script.

**Note**: The script includes automatic callback endpoint discovery and supports manual override.  
**Repo**: https://github.com/J4ck3LSyN-Gen2/CVE-2026-48558