RMM CISA KEV Active Exploit

A forged JWT walks into your SimpleHelp as a technician

July 1, 2026·8 min read·Chris Boker, Founder, CVEasy AI
A three-segment JWT card enters a technician console gate, the header and payload segments intact in teal and gold while the signature segment is shown as a broken rust seal, with an arrow from the console reaching outward toward cloud, source-control, and AI IDE tiles

It is 02:14 local at a mid-size MSP, and the on-call analyst watches a new session pop up on their SimpleHelp server, tagged as a technician login through the OIDC group they use for staff. There is no push prompt on the analyst's phone, because the login never touched the MFA path, and no failed attempt in the audit log, because the server treated the token as valid. By the time the analyst clicks in, a Node.js loader named jquery.js is fanning out to endpoints managed by that RMM. That is the queue defenders started reporting in the last week of June, and why CISA added CVE-2026-48558 to KEV on June 29, 2026, with a federal patch deadline of July 2.

The token nobody checked

SimpleHelp is a widely deployed Remote Monitoring and Management (RMM) product, popular with MSPs and internal IT teams because it runs as a self-hosted Java server you point a browser at. Since 5.5 it has supported OpenID Connect so technicians can authenticate through Entra ID, Okta, or Google Workspace. The intended flow is standard: the IdP signs a JSON Web Token (JWT) carrying the technician's identity claims, the browser presents it back to SimpleHelp, and SimpleHelp verifies the signature against the IdP's public keys before granting a session.

On vulnerable builds the middle step did not happen. The server accepted the identity token, parsed the claims, and mapped the caller to a technician account without ever verifying the cryptographic signature that binds those claims to the IdP. Classification is CWE-347, Improper Verification of Cryptographic Signature, the same failure mode that turned early JWT libraries into headline material a decade ago. Horizon3.ai researcher Zach Hanley found the bug through the firm's Sua Sponte AI-assisted pipeline and published the disclosure on June 12, 2026, with the CCB Belgium advisory pinning the CVSSv4 score at 9.5. An attacker only needs to craft a JWT the server will accept: any algorithm in the header, any subject in the payload, random bytes in the signature, and the forged token returns a valid technician session cookie through a normal HTTP login request.

Group authenticated logins is the switch that turns the exposure on

Not every SimpleHelp deployment is exposed. The vulnerable path requires a Technician Group with "Allow group authenticated logins" enabled, the setting that lets the server auto-provision technician accounts from IdP claims, which is the standard configuration for anyone running SimpleHelp with SSO. Horizon3.ai's June 12 sweep counted roughly 14,000 internet-facing SimpleHelp servers with about 7.2% on the vulnerable OIDC configuration, so roughly a thousand exposed technician consoles, each with remote-access agents into every endpoint the server manages.

MFA is not a rescue, because SimpleHelp's multi-factor policies gate the local username-and-password flow while the OIDC assertion path is treated as already-authenticated, so a forged token slides past MFA entirely. SimpleHelp 5.5.16 and 6.0 RC2, shipped in late May 2026, verify the JWT signature against the configured IdP keys and collapse the split between group-authenticated and standard technician accounts so the auto-provision path stops being a side door.

The prerequisite in one line: SimpleHelp server on 5.5.15 or earlier, or any 6.0 pre-release before 6.0 RC2, with OIDC enabled and at least one Technician Group set to "Allow group authenticated logins." If all three are true, treat the server as compromised until proven otherwise.

TaskWeaver arrives as jquery.js, Djinn Stealer takes everything on the machine

Once the intruder holds a technician session the RMM does the hard part for them. Blackpoint Cyber, summarized by SecurityWeek and SecurityAffairs, documented a chain that uses SimpleHelp's native push-file-and-run primitives to drop two previously undocumented families onto managed endpoints. First is TaskWeaver, a heavily obfuscated Node.js loader delivered as jquery.js and executed through node.exe, a filename chosen because a JavaScript file in a developer directory rarely earns a second look, and it does not steal directly, it opens an encrypted channel to attacker infrastructure and streams down whatever payload the operator wants next.

The observed payload is Djinn Stealer, a cross-platform infostealer running on Windows, macOS, and Linux that targets the credentials that turn one workstation into a full production intrusion: cloud provider keys and session tokens, GitHub and GitLab credentials, npm and PyPI and container registry material, SSH private keys, browser-stored passwords and cookies, cryptocurrency wallet files, and the configuration folders used by AI coding assistants, which increasingly hold long-lived tokens. Djinn Stealer packages everything in one sweep, exfiltrates, and the operator moves on. No ransom note has appeared in the reported incidents so far, consistent with an early-stage credential-monetization play rather than a ransomware crew.

Why a straight CVSS-first queue mis-ranks this one

Every scanner will flag CVE-2026-48558 at the top of its severity bucket because the CVSS math justifies it, and that is exactly the problem. On a Tuesday you might see forty CVSS 9.0-and-up findings, only one of which is an internet-exposed RMM with OIDC on and named exploitation. A CVSS-first queue treats a 9.8 pre-auth RCE on an isolated lab appliance the same as a 10.0 auth bypass on the tool that already holds remote-agent access to every endpoint you manage. SimpleHelp deserves the top of the queue not because the number is 10, but because the exposure is direct, the exploitation is documented, and the blast radius runs through your managed estate.

How TRIS scores CVE-2026-48558

TRIS, the Threat and Risk Intelligence Scoring engine inside CVEasy AI, prices a finding against the specific asset it lives on rather than the generic CVE, and four layers do the work here.

Exploitation evidence. KEV listed on June 29, 2026 with a July 2 federal deadline, plus named exploitation from Blackpoint Cyber tying the flaw to TaskWeaver and Djinn Stealer, lands the finding in the ACT band, the top tier reserved for active abuse.

Exposure and configuration. The finding only matures on servers running a vulnerable build with OIDC enabled and at least one Technician Group with group-authenticated logins allowed, so TRIS reads those signals rather than the base score and does not scream at every SimpleHelp instance.

Blast radius. RMM sits above the endpoints it manages, so an unauth session on the server is effectively an unauth foothold on every agent-managed workstation, and TRIS pulls the asset relationship graph so a compromised RMM surfaces the downstream endpoints, credentials, and tokens a technician session can reach.

Environmental fit. An externally reachable server on 5.5.15 with OIDC and group logins on, sitting in front of a managed estate that holds cloud keys and AI IDE tokens, prices at the top of the ACT band; an internal-only server on 5.5.16 with OIDC disabled prices near the floor. TRIS also keeps the honest distinction between confirmed exploitation in the wild and a PoC in a lab.

Patch, rotate, hunt

Upgrade every SimpleHelp server to 5.5.16 or 6.0 RC2 from the vendor's release page. If a server cannot be patched in the next window, disable OIDC or restrict the management interface to the internal network, and rotate the OIDC client secret and any provisioning keys the server holds.

Assume compromise on any SimpleHelp server that was internet-reachable with vulnerable OIDC since late May. Pull technician session logs for the last sixty days and look for logins outside working hours, from unfamiliar source addresses, or from OIDC subjects that do not match a real employee. On agent-managed endpoints, search for jquery.js in paths outside a legitimate web project and for node.exe child processes spawned by the SimpleHelp remote-access service, then correlate outbound traffic against unfamiliar hosts in the same window. Rotate cloud provider keys, SCM tokens, package registry credentials, AI coding assistant tokens, SSH private keys, and browser-stored passwords on every workstation under a compromised RMM, because Djinn Stealer takes them in one pass and half-measures are the same as no measures.

The credential blast radius is the story: Every workstation and server that a compromised SimpleHelp instance managed should be treated as a source of leaked cloud, SCM, registry, and AI IDE credentials. Patching the RMM without rotating those secrets leaves the attacker's copy of the keys still valid.

How CVEasy AI surfaces this

CVEasy AI, the number one local-first CTEM platform, ingests the KEV catalog, vendor advisories, and named exploitation reports as they land, cross-references them against the SimpleHelp servers and RMM agents in your inventory, and runs TRIS on the intersection. On the morning of June 29 that meant a single top-of-queue item for every operator running SimpleHelp with OIDC, with the "Allow group authenticated logins" flag pulled through as the trigger, the fixed-version upgrade path spelled out, and the downstream agent-managed endpoints listed as the rotation scope. Inventory, technician logs, and asset relationships stay on your hardware, which is the point of running the CTEM loop inside your own trust boundary rather than shipping the map of your managed estate to a SaaS tenant.

Sources: Horizon3.ai disclosure, Horizon3.ai IOCs, The Hacker News, SecurityWeek, SecurityAffairs, CCB Belgium, SimpleHelp release news