Cyber Posture

CVE-2020-36911

CriticalPublic PoC

Published: 13 January 2026

Published
13 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0086 75.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the…

more

target system.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses improper JWT validation by requiring validation of untrusted inputs like forged tokens to prevent granting administrative privileges.

IA-5 Authenticator Management good match
prevent

Ensures proper management, protection, and verification of authenticators such as JWT tokens to block forgery and unauthorized admin access.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations, preventing invalid JWT tokens from enabling administrative actions like DLL uploads and RCE.

Security SummaryAI

CVE-2020-36911 is a remote code execution vulnerability affecting Covenant versions 0.1.3 through 0.5. The flaw enables attackers to craft malicious JSON Web Tokens (JWTs) that grant administrative privileges, allowing them to upload custom DLL payloads and execute arbitrary commands on the target system. This issue stems from improper JWT validation, classified under CWE-798 (Use of Hard-coded Credentials), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any unauthenticated attacker with network access to the Covenant instance can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Successful exploitation grants full administrative control, enabling remote code execution that compromises confidentiality, integrity, and availability of the system hosting Covenant.

References for this CVE include the official Covenant project page at https://cobbr.io/Covenant.html, a proof-of-concept exploit at https://github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rb, the main Covenant GitHub repository at https://github.com/cobbr/Covenant, and archived discussions such as a Twitter post at https://web.archive.org/web/20201013165001/https://twitter.com/cobbr_io/status/1316058367161401344 and a blog at https://web.archive.org/web/20201101052547/https://blog.null.farm/hunting-the-hunters. Practitioners should consult these for any disclosed patches or mitigation guidance.

Details

CWE(s)
CWE-798

Affected Products

cobbr
covenant
0.1.3 — 0.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthenticated remote code execution in a public-facing web application (Covenant server) through crafted JWTs, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References