CISA Flags Actively Exploited SimpleHelp Flaw, Orders Federal Agencies to Patch Fast
A newly listed authentication bypass in SimpleHelp remote-support software is being used in real attacks, and federal agencies now face a hard deadline to fix it.

Key points
- CISA added CVE-2026-48558, an authentication bypass in SimpleHelp remote-support software, to its Known Exploited Vulnerabilities Catalog after confirming active attacks.
- The flaw lets attackers skip the login step entirely and take control of exposed SimpleHelp servers.
- Federal civilian agencies must prioritise the fix under Binding Operational Directive 26-04, which took effect earlier this year.
- CISA is urging every organisation running SimpleHelp — not just government — to patch immediately and check for signs of prior break-ins.
CISA — the US Cybersecurity and Infrastructure Security Agency, the federal body that tracks live cyber threats — has added a fresh vulnerability to its Known Exploited Vulnerabilities Catalog. That catalogue, known as the KEV list, is the government's running tally of software flaws hackers are actively abusing right now.
The new entry is CVE-2026-48558, an authentication bypass in SimpleHelp. In plain terms: SimpleHelp is remote-support software that IT teams use to log into other people's computers to fix problems. An authentication bypass means an attacker can skip the password check and walk straight in.
CISA says the flaw is being exploited in the wild. It has not published the names of victims or the attackers behind the campaign.
What does this flaw actually let attackers do?
It lets them take over the SimpleHelp server without valid credentials. From there, an attacker sitting on an IT support tool has a straight path into every machine that tool connects to — customer laptops, servers, point-of-sale systems, the lot.
That is why remote-management software keeps ending up in ransomware playbooks. One compromised console, dozens of downstream victims.
Who has to act, and by when?
Federal Civilian Executive Branch agencies — think the Department of Commerce, the IRS, the SEC and dozens of others — are bound by Binding Operational Directive 26-04. The directive tells agencies to drop everything and patch KEV-listed flaws on any publicly exposed system where a successful attack would hand over full control. This one qualifies.
BOD 26-04 also tells agencies to check whether they were already broken into before the patch went on. That is the part organisations most often skip. A patch stops the next attacker. It does not evict the one already inside.
CISA, in its advisory, encourages private companies to follow the same discipline even though the directive does not legally bind them.
What should SimpleHelp customers do this week?
If your business uses SimpleHelp, or your IT provider does on your behalf, three practical steps matter.
First, ask your provider — in writing — which SimpleHelp version they run and when they applied the vendor's fix. Second, ask them to review server logs for unexpected admin sessions or new accounts created in recent weeks. Third, if the SimpleHelp server is reachable from the open internet, ask whether it truly needs to be.
End users of a company that was breached through SimpleHelp would typically be notified under state breach-notification laws or, for health data, HIPAA. Watch your inbox for any notice naming your IT vendor, and treat unsolicited "IT support" calls in the coming weeks with suspicion. Attackers who steal support-tool access often follow up with convincing calls pretending to be your helpdesk.
CISA maintains a nomination form for researchers and defenders who spot exploited flaws not yet on the KEV list. Expect the catalogue to keep growing. SimpleHelp joins a long line of remote-access products — from Ivanti to ConnectWise ScreenConnect — that attackers have leaned on this year.



