🔑 IAM

SimpleHelp Remote Support: New OIDC Flaw Lets Unauthenticated Attackers Create Rogue Privileged Technician Accounts

A new authentication vulnerability in SimpleHelp Remote Support — distinct from the path traversal and privilege escalation flaws patched earlier in 2026 — allows an unauthenticated attacker to exploit a flaw in the OIDC single sign-on implementation to create privileged technician accounts with full remote session capabilities. SimpleHelp has released emergency patches; exploitation has been observed in the wild.

4 min read
#simplehelp#rmm#remote-support#oidc#account-takeover#authentication-bypass#actively-exploited
Article identity-access-management

SimpleHelp, the developer of the widely deployed SimpleHelp Remote Support platform, has disclosed a critical authentication vulnerability in its OIDC (OpenID Connect) single sign-on implementation that allows an unauthenticated attacker to create privileged technician accounts on vulnerable installations. The flaw is distinct from the path traversal and privilege escalation vulnerabilities addressed earlier in 2026 (CVE-2024-57726 and CVE-2024-57728), affecting a different code path introduced during the platform’s OIDC integration work.

Active exploitation has been observed in the wild, with attackers creating rogue technician accounts and leveraging them for initial access into enterprise environments via SimpleHelp’s legitimate remote desktop capabilities — bypassing conventional endpoint detection that typically trusts traffic from authorised RMM tools.

Vulnerability Details

The flaw exists in the OIDC callback handler of SimpleHelp’s Server component. When OIDC-based single sign-on is enabled, SimpleHelp processes identity provider callback requests to create or update local technician accounts. An authentication logic error in the callback validation allows an attacker to submit a crafted callback request — without completing the legitimate OIDC authentication flow — and trigger the account creation pathway with arbitrary privilege levels, including the Administrator role.

The attack requires network access to the SimpleHelp Server’s web interface (typically port 80/443) but requires no existing credentials or prior account. OIDC integration does not need to be actively configured by the victim organisation for the vulnerable endpoint to be reachable; the code path exists in all affected installations regardless of whether OIDC is in use.

Affected versions: SimpleHelp Server 5.4.x prior to 5.4.8, and 5.3.x prior to 5.3.11.
Fixed versions: SimpleHelp Server 5.4.8 and 5.3.11.

The RMM Tool Attack Pattern

Remote monitoring and management platforms — including SimpleHelp, AnyDesk, ConnectWise ScreenConnect, and similar tools — have become high-value targets precisely because they are trusted by endpoint security products. Traffic from legitimate RMM tools is whitelisted in most endpoint detection configurations because it is used daily by IT support staff.

Once an attacker creates a rogue SimpleHelp technician account, they can:

  • Initiate remote desktop sessions to any endpoint that has the SimpleHelp client installed — all managed endpoints in the organisation
  • Execute commands, transfer files, and install additional tooling using SimpleHelp’s built-in file transfer and remote shell capabilities
  • Operate without triggering EDR alerts that would catch the same activity from an unknown remote access tool
  • Maintain persistence by creating additional technician accounts, making account-based remediation iterative rather than decisive

The operational security advantage of abusing a legitimate RMM tool is significant: the attacker’s activity is logged within the RMM platform but may not flow to SIEM or EDR systems that monitor endpoint activity.

Detection Opportunities

  • Audit SimpleHelp technician accounts immediately — compare the current account list against your authorised list of support staff; any unrecognised accounts should be treated as indicators of compromise and the source of their creation investigated in server logs
  • Review SimpleHelp Server audit logs for unexpected account creation events, particularly those originating from external IP addresses not associated with your IT team
  • Monitor SimpleHelp remote session activity — any remote sessions to endpoints initiated outside business hours or by accounts not recognised by your IT team warrant investigation
  • Check endpoint security logs for SimpleHelp client activity on endpoints that should not have had active support sessions on or around the date of discovery
  • Update immediately to SimpleHelp Server 5.4.8 or 5.3.11 — apply before conducting the account audit if the Server itself may have been compromised
  • Rotate the SimpleHelp Server admin password and revoke all active technician sessions following patching
  • Restrict SimpleHelp Server access at the network layer — the Server’s management interface should be accessible only from known IT staff IP ranges, not from the broader internet or general corporate network; implement if not already in place
  • Enable multi-factor authentication on all remaining technician accounts — SimpleHelp supports TOTP-based MFA; enabling it limits the utility of any rogue accounts that evaded the audit
  • Report to your SIEM team that legitimate SimpleHelp session traffic during the exploitation window (estimated from patch date back to 10 June) should be reviewed for anomalous session targets or unusual activity patterns

Share this article