CVE-2020-36911
Remote Code Execution via Forged JWT in Covenant
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | covenant | From 0.1.3 (inc) to 0.5 (inc) |
| unknown_vendor | covenant | 0.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-36911 is a critical remote code execution vulnerability in Covenant versions 0.1.3 through 0.5. It arises from a hardcoded JWT secret key that allows attackers to forge JSON Web Tokens with administrative privileges. By crafting these malicious tokens, attackers can impersonate administrators, upload custom DLL payloads via malicious Listener Profiles, and execute arbitrary commands on the target system with the privileges of the Covenant application user (which runs as root by default). This exploit abuses the JWT authentication mechanism and the dynamic message transformation feature of Covenant to achieve full system compromise. [3, 5, 6]
How can this vulnerability impact me? :
This vulnerability can lead to a full system compromise of the Covenant server. Attackers can gain administrative access without any privileges or user interaction, upload and execute arbitrary DLL payloads, and run commands as the root user on the server. This allows them to control implants (agents), perform reconnaissance, delete data, and execute arbitrary code remotely, severely impacting the confidentiality, integrity, and availability of the affected system. [3, 5, 6]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthorized or forged JWT tokens with administrative privileges being used to access the Covenant server API, especially on the administrative port (default 7443). Monitoring network traffic for suspicious JWT tokens or unusual API calls to endpoints like /api/users or /api/grunts can help detect exploitation attempts. Additionally, verifying if the Covenant version in use is between 0.1.3 and 0.5 indicates vulnerability. Commands to check firewall rules to ensure port 7443 is not publicly accessible (e.g., using 'sudo ufw status' on Linux) can help detect exposure. Specific exploit scripts (such as the one in Resource 2 and Resource 5) demonstrate how forged JWT tokens are crafted and used, which can be adapted for detection or testing. However, no explicit detection commands are provided in the resources. [1, 3, 6]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Covenant to version 0.6 or later, which replaces the static JWT signing key with a securely generated unique key per deployment. Additionally, ensure that the Covenant administrative port (default 7443) is not publicly accessible by restricting access via firewall rules (e.g., using 'sudo ufw deny 7443' or equivalent). Network segmentation and proper firewalling to block external access to the management API can prevent exploitation. These steps reduce the risk of attackers forging admin JWT tokens and uploading malicious DLL payloads for remote code execution. [1, 6]