CVE-2020-36911

CriticalPublic PoC

Published: 13 January 2026

Published

13 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0111 78.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-36911 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Cobbr Covenant. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses improper JWT validation by requiring validation of untrusted inputs like forged tokens to prevent granting administrative privileges.

IA-5 Authenticator Management good match

prevent

Ensures proper management, protection, and verification of authenticators such as JWT tokens to block forgery and unauthorized admin access.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations, preventing invalid JWT tokens from enabling administrative actions like DLL uploads and RCE.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote code execution in a public-facing web application (Covenant server) through crafted JWTs, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the…

target system.

Deeper analysisAI

CVE-2020-36911 is a remote code execution vulnerability affecting Covenant versions 0.1.3 through 0.5. The flaw enables attackers to craft malicious JSON Web Tokens (JWTs) that grant administrative privileges, allowing them to upload custom DLL payloads and execute arbitrary commands on the target system. This issue stems from improper JWT validation, classified under CWE-798 (Use of Hard-coded Credentials), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any unauthenticated attacker with network access to the Covenant instance can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Successful exploitation grants full administrative control, enabling remote code execution that compromises confidentiality, integrity, and availability of the system hosting Covenant.

References for this CVE include the official Covenant project page at https://cobbr.io/Covenant.html, a proof-of-concept exploit at https://github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rb, the main Covenant GitHub repository at https://github.com/cobbr/Covenant, and archived discussions such as a Twitter post at https://web.archive.org/web/20201013165001/https://twitter.com/cobbr_io/status/1316058367161401344 and a blog at https://web.archive.org/web/20201101052547/https://blog.null.farm/hunting-the-hunters. Practitioners should consult these for any disclosed patches or mitigation guidance.