SimpleHelp Bug Allows Unauthenticated Rogue Admin Account Creation

A vulnerability in SimpleHelp remote management software (CVE-not yet assigned) allows unauthenticated attackers to create rogue technician accounts with administrative privileges. The bug resides in the OpenID Connect (OIDC) authentication protocol implementation, enabling attackers to bypass authentication mechanisms entirely.

The flaw affects all SimpleHelp server versions using OIDC authentication. No CVSS score has been published yet, but the ability to gain privileged access without credentials makes this a critical security issue. Proof-of-concept exploit code is expected to circulate soon, raising the risk of active exploitation.

Attackers can craft a malicious OIDC request that tricks the server into granting technician-level permissions without valid authentication. No user interaction is required. Indicators of compromise include unexpected technician accounts in the SimpleHelp admin panel and unusual remote session initiation logs.

SimpleHelp has released a patched version that fixes the OIDC authentication flaw. Administrators should update immediately and review existing technician accounts for unauthorized additions. As a temporary workaround, disabling OIDC authentication and using local authentication is advised until the patch is applied.

The vulnerability was responsibly disclosed to SimpleHelp and fixed prior to publication. While no active exploitation has been confirmed in the wild, attackers often reverse-engineer patches to develop exploits, making rapid deployment of the update essential.

For organizations that rely on remote support tools, this incident underscores the importance of auditing third-party authentication integrations, as flaws in OIDC or SAML implementations can expose entire networks to unauthorized access.