Critical SimpleHelp Vulnerability Exploited for Malware Delivery

A maximum-severity vulnerability in SimpleHelp's RMM software, tracked as CVE-2026-48558, has been exploited to deliver two new malware families: TaskWeaver and Djinn Stealer. The flaw allows unauthenticated attackers to forge login tokens and gain privileged access to technician sessions. Attackers used this access to deploy a heavily obfuscated Node.js loader, TaskWeaver, which then executed the infostealer Djinn Stealer. This malware targets sensitive credentials across Windows, macOS, and Linux systems, including cloud services and AI development tools. The vulnerability was disclosed and patched in early June 2026, but exploitation was confirmed on June 29, 2026, when CISA added it to its Known Exploited Vulnerabilities catalog. Organizations using SimpleHelp are urged to apply patches immediately and rotate any exposed credentials.

Key Points: • CVE-2026-48558 is a critical authentication bypass vulnerability in SimpleHelp. • Attackers exploited the flaw to deploy TaskWeaver and Djinn Stealer malware. • The malware targets sensitive credentials across multiple operating systems.