Detect CVE-2026-48558 — SimpleHelp Authentication Bypass (CWE-347) in Splunk
Detects exploitation of CVE-2026-48558, an authentication bypass vulnerability in SimpleHelp remote support software caused by improper verification of cryptographic signatures (CWE-347). This KEV-listed vulnerability allows unauthenticated attackers to bypass authentication controls. SimpleHelp is commonly used by MSPs and IT support teams, making it a high-value target for initial access and lateral movement.
MITRE ATT&CK
SPL Detection Query
index=web OR index=network OR index=proxy sourcetype IN ("iis", "apache:access", "nginx:plus:kv", "pan:traffic", "squid")
| where (uri_path IN ("/admin", "/operator", "/technician", "/api/admin") OR like(uri_path, "/admin%") OR like(uri_path, "/operator%"))
| eval auth_bypass_indicator=case(
status==200 AND (isnull(user) OR user="-") AND (like(uri_path, "/admin%") OR like(uri_path, "/operator%")), "Unauthenticated admin access",
status==302 AND (isnull(user) OR user="-") AND like(uri_path, "/admin%"), "Unauthenticated redirect on admin path",
status==200 AND like(uri_path, "/technician%") AND (isnull(user) OR user="-"), "Unauthenticated technician panel access",
true(), "Suspicious SimpleHelp request"
)
| where auth_bypass_indicator != "Suspicious SimpleHelp request" OR status IN (200, 302)
| stats count AS request_count, values(uri_path) AS accessed_paths, values(status) AS http_statuses, values(auth_bypass_indicator) AS indicators, earliest(_time) AS first_seen, latest(_time) AS last_seen BY src_ip, dest_ip
| where request_count > 1
| sort -request_countIdentifies unauthenticated HTTP requests to SimpleHelp privileged paths (admin, operator, technician). Groups by source/destination IP to surface scanning and exploitation attempts against CVE-2026-48558.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate admin logins from internal support staff IP ranges without session cookie propagation to proxy logs
- Penetration testing or red team exercises against SimpleHelp infrastructure
- Automated health monitoring scripts that access SimpleHelp web interface
- Single sign-on or SAML federation redirects that appear unauthenticated at proxy layer
Other platforms for CVE-2026-48558
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-48558 — Unauthenticated Admin Endpoint Access Probe
Expected signal: Web server access logs will show GET requests to /admin, /operator, /technician, and /api/admin from the test host IP. Network flow data will show connections from test host to SimpleHelp port. IDS/IPS may generate HTTP policy violation alerts.
- Test 2CVE-2026-48558 — Signature Verification Bypass via Malformed Token
Expected signal: Application logs should show authentication attempts with malformed tokens. Web server logs will record requests with Authorization headers containing invalid credentials. Endpoint detection may flag the curl process making connections to internal services.
- Test 3CVE-2026-48558 — Post-Bypass Operator Account Enumeration
Expected signal: Multiple sequential API requests to /api/admin/* paths from single source IP within short timeframe. Application logs show operator/technician/config endpoint access. UEBA tools may flag unusual API access patterns if baselining is in place.
References (4)
- https://simple-help.com/security/simplehelp-security-update-2026-05
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-48558
Unlock Pro Content
Get the full detection package for CVE-2026-48558 including response playbook, investigation guide, and atomic red team tests.