CVE-2026-48558 — SimpleHelp Authentication Bypass (CWE-347)
Detects exploitation of CVE-2026-48558, an authentication bypass vulnerability in SimpleHelp remote support software caused by improper verification of cryptographic signatures (CWE-347). This KEV-listed vulnerability allows unauthenticated attackers to bypass authentication controls. SimpleHelp is commonly used by MSPs and IT support teams, making it a high-value target for initial access and lateral movement.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- SimpleHelp
- Product
- SimpleHelp
Weakness (CWE)
Timeline
- Disclosed
- June 29, 2026
References & Proof of Concept
- https://simple-help.com/security/simplehelp-security-update-2026-05
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-48558
What is CVE-2026-48558 CVE-2026-48558 — SimpleHelp Authentication Bypass (CWE-347)?
CVE-2026-48558 — SimpleHelp Authentication Bypass (CWE-347) (CVE-2026-48558) maps to the Initial Access and Persistence and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-48558 — SimpleHelp Authentication Bypass (CWE-347), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Azure Monitor - IIS Logs, CommonSecurityLog. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let SimpleHelpPorts = dynamic([80, 443, 5850, 5900]);
let SuspiciousAdminPaths = dynamic(["/admin", "/api/admin", "/operator", "/technician"]);
union DeviceNetworkEvents, CommonSecurityLog, W3CIISLog
| where TimeGenerated >= ago(7d)
| where (
(RemotePort in (SimpleHelpPorts) or DestinationPort in (SimpleHelpPorts))
or (csUriStem has_any (SuspiciousAdminPaths))
)
| where (
(csMethod in ("GET", "POST") and (csUriStem has "/admin" or csUriStem has "/operator"))
or (sc-status in (200, 302) and cs-username == "-" and csUriStem has_any (SuspiciousAdminPaths))
)
| extend AuthBypassIndicator = case(
sc-status == 200 and cs-username == "-" and csUriStem has_any (SuspiciousAdminPaths), "Unauthenticated access to admin endpoint",
sc-status == 302 and csUriStem has "/admin", "Redirect from admin path without auth session",
"Suspicious SimpleHelp request"
)
| project TimeGenerated, AuthBypassIndicator, csUriStem, sc-status, cs-username, c-ip, s-ip, csMethod, csUserAgent
| order by TimeGenerated descDetects unauthenticated access to SimpleHelp administrative and operator endpoints, indicative of authentication bypass exploitation of CVE-2026-48558. Looks for HTTP 200/302 responses to privileged paths without valid session credentials.
Data Sources
Required Tables
False Positives
- Legitimate SimpleHelp administrators accessing the panel from expected internal IP ranges
- Vulnerability scanners or asset management tools probing SimpleHelp service ports
- Load balancer health checks targeting SimpleHelp web endpoints
- Automated monitoring solutions that probe application availability endpoints
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-48558 — SimpleHelp Authentication Bypass (CWE-347) (CVE-2026-48558) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-48558
References (4)
- https://simple-help.com/security/simplehelp-security-update-2026-05
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-48558
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-48558 — Unauthenticated Admin Endpoint Access Probe
Expected signal: Web server access logs will show GET requests to /admin, /operator, /technician, and /api/admin from the test host IP. Network flow data will show connections from test host to SimpleHelp port. IDS/IPS may generate HTTP policy violation alerts.
- Test 2CVE-2026-48558 — Signature Verification Bypass via Malformed Token
Expected signal: Application logs should show authentication attempts with malformed tokens. Web server logs will record requests with Authorization headers containing invalid credentials. Endpoint detection may flag the curl process making connections to internal services.
- Test 3CVE-2026-48558 — Post-Bypass Operator Account Enumeration
Expected signal: Multiple sequential API requests to /api/admin/* paths from single source IP within short timeframe. Application logs show operator/technician/config endpoint access. UEBA tools may flag unusual API access patterns if baselining is in place.
Unlock Pro Content
Get the full detection package for CVE-2026-48558 including response playbook, investigation guide, and atomic red team tests.