Nearly 14,000 SimpleHelp Servers Exposed by Critical Authentication Bypass Flaw A critical authentication bypass vulnerability, tracked as CVE-2026-48558, has left nearly 14,000 internet-facing SimpleHelp servers exposed, posing severe risks to enterprises using the remote monitoring and management (RMM) platform. The flaw was discovered by Horizon3.ai through its AI-driven research initiative, Sua Sponte, and affects deployments configured with OpenID Connect (OIDC) authentication, including integrations with Azure Active Directory. The vulnerability stems from improper validation of identity provider assertions during the OIDC authentication process, allowing unauthenticated attackers to create a new "Technician" account and log in without credentials. Once inside, attackers gain elevated privileges, enabling them to access managed endpoints, execute scripts, and perform administrative actions. Even systems protected by multi-factor authentication (MFA) are vulnerable, as the flaw permits attackers to bypass MFA by registering their own authentication method during the first login. Exploitation is possible in environments where OIDC authentication is enabled, a TechnicianGroup is linked to the OIDC provider, and group-authenticated logins are permitted settings common in enterprise deployments. Administrators can detect potential compromise by reviewing technician accounts for unfamiliar entries and analyzing server logs for unauthorized registrations or configuration changes. Logs stored in `/opt/SimpleHelp/logs/` may provide additional evidence of malicious activity. The number of publicly accessible SimpleHelp servers has quadrupled since early 2025, rising from 3,400 to nearly 14,000 as of June 2026. Approximately 7.2% of these systems are configured in a way that makes them vulnerable to this flaw. Given SimpleHelp’s role in remote access and endpoint management, successful exploitation could allow attackers to move laterally across networks, compromising critical systems. The vulnerability was discovered on May 21, 2026, reported to the vendor the following day, and publicly disclosed on June 12, 2026. A patch was released on June 9, prior to the advisory. For organizations unable to patch immediately, temporary mitigations such as restricting technician logins by IP address are recommended. The incident underscores the risks associated with RMM tools and the need for secure authentication mechanisms, particularly when integrating with enterprise identity providers.

Crazy Ransomware Gang Exploits Legitimate Tools for Stealthy Network Infiltration Researchers at Huntress have uncovered a campaign by the Crazy ransomware gang, which abuses legitimate employee monitoring software and remote support tools to maintain persistence in corporate networks, evade detection, and prepare for ransomware attacks. In multiple intrusions, threat actors deployed Net Monitor for Employees Professional a legitimate monitoring tool alongside SimpleHelp, a remote access platform, to blend in with normal administrative activity. Attackers installed Net Monitor via Windows Installer (`msiexec.exe`), enabling them to remotely view desktops, transfer files, and execute commands on compromised systems. They also attempted to activate the local administrator account using the command `net user administrator /active:yes`. For redundant access, the attackers installed SimpleHelp via PowerShell, often disguising the binary with filenames mimicking legitimate software, such as `OneDriveSvc.exe` or `vshost.exe` (a Visual Studio-related file). This ensured persistence even if the monitoring tool was removed. In one case, the hackers configured SimpleHelp to trigger alerts when devices accessed cryptocurrency wallets or remote management tools, likely preparing for ransomware deployment or cryptocurrency theft. Monitored keywords included wallet services (MetaMask, Exodus), exchanges (Binance, Bybit), and remote access tools (RDP, AnyDesk, TeamViewer). The attackers also disabled Windows Defender by stopping and deleting associated services, further reducing detection risks. While only one incident resulted in Crazy ransomware deployment, Huntress linked both cases to the same threat actor, citing reused filenames (`vhost.exe`) and overlapping command-and-control infrastructure. The use of legitimate remote management tools has become a common tactic in ransomware attacks, allowing threat actors to evade security measures by blending in with normal traffic. Both breaches originated from compromised SSL VPN credentials, highlighting the need for stronger authentication controls.

Microsoft Warns of Tax-Season Phishing Surge Targeting U.S. Organizations Microsoft has identified a wave of phishing campaigns exploiting the U.S. tax season to steal credentials and deploy malware. Threat actors are leveraging urgent, time-sensitive lures such as fake refund notices, payroll forms, and IRS impersonations to trick recipients into interacting with malicious links, QR codes, or attachments. The attacks disproportionately target accountants, tax professionals, and industries handling sensitive financial data, including manufacturing, retail, healthcare, and higher education. Some campaigns use Phishing-as-a-Service (PhaaS) platforms like Energy365 and SneakyLog (Kratos) to harvest credentials, including two-factor authentication (2FA) codes, via spoofed Microsoft 365 login pages. Others deploy remote monitoring and management (RMM) tools such as ConnectWise ScreenConnect, Datto, and SimpleHelp to gain persistent access to compromised systems. Key campaigns include: - CPA-themed phishing using the Energy365 kit, sending hundreds of thousands of malicious emails daily. - QR code and W-2 lures targeting ~100 U.S. organizations in manufacturing, retail, and healthcare, redirecting victims to fake Microsoft 365 sign-in pages. - IRS impersonation with cryptocurrency tax form scams, distributing ScreenConnect or SimpleHelp via domains like irs-doc[.]com. - Datto malware delivery via fake tax-filing assistance links sent to accountants. - A large-scale February 10, 2026, attack affecting 29,000 users across 10,000 organizations, primarily in financial services, tech, and retail. Emails, sent via Amazon SES, claimed irregular tax returns under recipients’ Electronic Filing Identification Numbers (EFINs) and directed users to a fake SmartVault site (smartvault[.]im) to download a malicious ScreenConnect installer. The campaigns highlight a 277% year-over-year surge in RMM tool abuse, with attackers daisy-chaining multiple tools to evade detection. Since RMM software is often trusted in corporate environments, unauthorized usage can go unnoticed, complicating attribution and response efforts.

Groups linked with the Play ransomware have exploited more than 900 organizations, including exploiting a security flaw in the remote-access tool SimpleHelp if not patched. The ransomware operators use double-extortion techniques, stealing and encrypting sensitive data, then threatening to release it unless ransom is paid. The criminals gain access through various means, including stolen credentials and exploiting old vulnerabilities. The FBI warns that multiple ransomware groups have exploited this flaw, leading to significant data breaches and potential financial losses.

Sophos researchers uncovered a cyberattack where DragonForce ransomware operators exploited three chained vulnerabilities in the SimpleHelp remote management tool to compromise an MSP and its customers. The attackers used these vulnerabilities to gain administrative access, deploy ransomware, and steal data from multiple clients. While one client with Sophos MDR and XDR defenses successfully blocked the attack, others were compromised, resulting in significant data leaks and potential operational disruptions.

SimpleHelp, a widely used Remote Monitoring and Management (RMM) platform by MSPs and vendors, became the entry point for a sophisticated supply-chain ransomware attack in early 2025. Exploiting three critical unpatched vulnerabilities (CVE-2024-57726, CVE-2024-57727, CVE-2024-57728), threat actors from Medusa and DragonForce ransomware groups weaponized SimpleHelp’s SYSTEM-level privileges to breach downstream UK organizations. Attackers leveraged the trusted RMM infrastructure to bypass security controls, deploy ransomware (e.g., Gaze.exe, .dragonforce_encrypted), and exfiltrate data using tools like RClone and Restic. Over 50% of incidents involved data theft, targeting high-value assets (domain controllers, backups, financial/employee records). The attacks resulted in operational disruptions, financial extortion via double-extortion leak sites, and reputational damage due to public victim shaming. Patches were available but unapplied, exposing systemic failures in third-party risk management and patch compliance, with long-term consequences for affected MSPs and their clients.

The Play ransomware gang exploited critical vulnerabilities in SimpleHelp, a remote support tool widely used by managed service providers (MSPs) and IT teams. The most severe flaw, CVE-2024-57727 (path traversal), allowed unauthenticated attackers to download arbitrary files from SimpleHelp servers, granting initial access to multiple client environments simultaneously. This breach enabled follow-on ransomware attacks, including deployments of DragonForce ransomware in at least one confirmed case. While only nine healthcare organizations were directly impacted, the advisory from the FBI and CISA warned that Play ransomware has compromised ~900 organizations globally since 2022, targeting critical infrastructure across North/South America and Europe. The attack chain leveraged SimpleHelp’s trusted status to propagate laterally, disrupting operations, exposing sensitive data, and potentially enabling supply-chain attacks on downstream clients. SimpleHelp released patches, but delayed updates left many systems vulnerable, amplifying the risk of data exfiltration, operational outages, and financial extortion. The incident underscores the systemic threat posed by RMM tool exploits in enabling large-scale ransomware campaigns.