Critical SimpleHelp OIDC Flaw Lets Attackers Create Privileged Admin Accounts Remotely

A vulnerability in SimpleHelp remote management software allows unauthenticated attackers to create privileged technician accounts on servers using the OpenID Connect (OIDC) authentication protocol, according to BleepingComputer on June 15, 2026. This flaw enables unauthorized users to bypass standard security checks and gain high-level administrative access to managed systems.

The bug specifically targets the way SimpleHelp handles OIDC, an identity layer built on the OAuth 2.0 protocol that allows clients to verify user identities via an external authorization server. BleepingComputer reports that attackers can exploit this process to register rogue accounts with technician-level permissions without providing valid credentials.

How does the SimpleHelp OIDC vulnerability work?

The vulnerability exists in the implementation of the OpenID Connect protocol within the software. OIDC typically relies on a trusted third-party provider to authenticate a user before granting access to an application. In this instance, the authentication handshake is flawed, allowing an attacker to spoof or manipulate the identity verification process.

Once the authentication is bypassed, the attacker can trigger the creation of a new account. Because the software assigns these accounts “privileged technician” status, the attacker gains the same capabilities as a legitimate system administrator. This includes the ability to remotely control servers, access sensitive data, and modify system configurations.

Technician accounts in remote management tools are designed for maximum visibility and control. They often possess the authority to install software, execute scripts, and manage other user accounts across a network of connected devices.

What are the risks of rogue technician accounts?

The creation of rogue accounts allows for persistent access to a target environment. Unlike a temporary exploit that might be cleared after a system reboot, a registered technician account remains valid until an administrator manually identifies and deletes it.

According to the report from BleepingComputer, these accounts provide a direct pathway for several high-impact attacks:

• Data Exfiltration: Attackers can use remote access tools to move sensitive files from the server to an external location.
• Ransomware Deployment: Privileged access allows attackers to disable security software and deploy encryption payloads across all servers managed by the SimpleHelp instance.
• Lateral Movement: A compromised remote management server acts as a hub, giving attackers a foothold to jump from the management console into other parts of the corporate network.

Why are remote management tools targeted?

Remote Monitoring and Management (RMM) tools like SimpleHelp are high-value targets because they centralize control over an entire IT infrastructure. Security researchers frequently categorize RMM software as “dual-use” tools, meaning they are essential for legitimate IT support but highly effective for attackers once compromised.

This incident follows a pattern of vulnerabilities in RMM software where authentication bypasses lead to full system takeover. By targeting the management layer rather than individual endpoints, attackers can compromise hundreds of servers through a single entry point.

The use of OIDC is intended to increase security by centralizing identity management. However, as this vulnerability demonstrates, implementation errors in the protocol can create new attack vectors that negate the benefits of single sign-on (SSO) architectures.

How can administrators secure their servers?

Administrators using SimpleHelp are advised to review their technician account lists for any unrecognized usernames or emails. BleepingComputer indicates that identifying rogue accounts is a critical step in determining if a server has already been compromised.

Standard mitigation for this type of vulnerability involves updating the software to a patched version that corrects the OIDC handshake logic. Organizations should also consider implementing strict IP whitelisting for the management console to ensure that only trusted networks can attempt authentication, regardless of the protocol used.