Bottom line: SimpleHelp servers can be abused from outside without authentication to create admin technician accounts.
A vulnerability in the remote management software SimpleHelp allows unauthenticated attackers to create privileged technician accounts on servers. The weakness exists in the implementation of the OpenID Connect (OIDC) authentication protocol.
The remote management software SimpleHelp contains a vulnerability that allows unauthenticated attackers to create privileged technician accounts on affected servers. The vulnerability resides in the implementation of the OpenID Connect (OIDC) authentication protocol and requires no prior authentication or authorization of the attacker.
For CISOs, this represents a direct lateral movement and persistence risk: a compromised or externally accessible SimpleHelp server becomes a gateway for privileged system access. Technician accounts typically have elevated rights for managing customer devices and networks. Attackers could use these accounts not only for initial access but also to obscure their identity and impersonate legitimate support staff.
An immediate review of all SimpleHelp deployments for patch status is required. The focus should be on internet-facing instances. Network-based detection should check for suspicious OIDC requests and unexpected account creations. Affected organizations should analyze audit logs for anomalous technician accounts and disable them if necessary until patch validation has been completed.
Source: www.bleepingcomputer.com · Published June 15, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.