CVE-2020-36911
Unknown Unknown - Not Provided
Remote Code Execution via Forged JWT in Covenant

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: VulnCheck

Description
Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the target system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2020-36911
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
unknown_vendor covenant From 0.1.3 (inc) to 0.5 (inc)
unknown_vendor covenant 0.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2020-36911 is a critical remote code execution vulnerability in Covenant versions 0.1.3 through 0.5. It arises from a hardcoded JWT secret key that allows attackers to forge JSON Web Tokens with administrative privileges. By crafting these malicious tokens, attackers can impersonate administrators, upload custom DLL payloads via malicious Listener Profiles, and execute arbitrary commands on the target system with the privileges of the Covenant application user (which runs as root by default). This exploit abuses the JWT authentication mechanism and the dynamic message transformation feature of Covenant to achieve full system compromise. [3, 5, 6]

Impact Analysis

This vulnerability can lead to a full system compromise of the Covenant server. Attackers can gain administrative access without any privileges or user interaction, upload and execute arbitrary DLL payloads, and run commands as the root user on the server. This allows them to control implants (agents), perform reconnaissance, delete data, and execute arbitrary code remotely, severely impacting the confidentiality, integrity, and availability of the affected system. [3, 5, 6]

Detection Guidance

This vulnerability can be detected by checking for unauthorized or forged JWT tokens with administrative privileges being used to access the Covenant server API, especially on the administrative port (default 7443). Monitoring network traffic for suspicious JWT tokens or unusual API calls to endpoints like /api/users or /api/grunts can help detect exploitation attempts. Additionally, verifying if the Covenant version in use is between 0.1.3 and 0.5 indicates vulnerability. Commands to check firewall rules to ensure port 7443 is not publicly accessible (e.g., using 'sudo ufw status' on Linux) can help detect exposure. Specific exploit scripts (such as the one in Resource 2 and Resource 5) demonstrate how forged JWT tokens are crafted and used, which can be adapted for detection or testing. However, no explicit detection commands are provided in the resources. [1, 3, 6]

Mitigation Strategies

Immediate mitigation steps include upgrading Covenant to version 0.6 or later, which replaces the static JWT signing key with a securely generated unique key per deployment. Additionally, ensure that the Covenant administrative port (default 7443) is not publicly accessible by restricting access via firewall rules (e.g., using 'sudo ufw deny 7443' or equivalent). Network segmentation and proper firewalling to block external access to the management API can prevent exploitation. These steps reduce the risk of attackers forging admin JWT tokens and uploading malicious DLL payloads for remote code execution. [1, 6]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36911. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart