Hackers are exploiting a recently disclosed critical vulnerability (CVE-2026-48558) in SimpleHelp to deploy Djinn Stealer, a previously undocumented cross-platform information stealer targeting Windows, macOS, and Linux.
The SimpleHelp platform is primarily used by managed service providers (MSPs), IT departments, helpdesks, and system administrators for remote monitoring and management (RMM).
Earlier this month, offensive security company Horizon3.ai published details about CVE-2026-48558, saying that the flaw could be leveraged to create highly privileged technician accounts without authentication.
Exploiting the vulnerability is possible on servers using the OpenID Connect (OIDC) authentication protocol. According to the researchers, around 1,000 SimpleHelp servers exposed online were running a vulnerable configuration at the time of the disclosure.
In an incident investigated by managed detection and response (MDR) provider Blackpoint, a threat actor exploited the critical authentication bypass vulnerability to establish an authenticated technician session on an internet-facing SimpleHelp server before deploying the TaskWeaver malware loader and the Djinn Stealer.











