Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer
Summary
Threat actors are exploiting a critical authentication bypass vulnerability (CVE-2026-48558) in SimpleHelp to deploy two new malware families, TaskWeaver and Djinn Stealer. The vulnerability allows unauthenticated attackers to bypass security measures via the OpenID Connect flow.
IFF Assessment
The exploitation of a critical vulnerability allows attackers to deploy new malware, posing a direct threat to organizations.
Severity
The CVSS score of 10.0 indicates a critical vulnerability with a high impact, exploitable by unauthenticated attackers through the OIDC flow.
CISA KEV: Listed as actively exploited. Federal patch due: July 02, 2026. Known ransomware use: Unknown.
Defender Context
Defenders need to prioritize patching SimpleHelp instances immediately to prevent exploitation of this critical vulnerability. The emergence of new malware families like TaskWeaver and Djinn Stealer also indicates evolving threat actor tactics, requiring vigilance in threat hunting and detection.