CVE-2024-55215

CRITICAL

jrohy/trojan 2.0.0-2.15.3 - Unauthenticated Privilege Escalation via Initialization Interface

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-55215. PoCs published by ainrm.

AI-analyzed exploit summary This PoC exploits an unauthenticated password modification vulnerability in Jrohy/trojan (v2.0.0 - v2.15.3) by sending a POST request to `/auth/register` to change the admin password without authentication. The exploit hashes the password using SHA-224 and sends it to the target endpoint.

Description

An issue in trojan v.2.0.0 through v.2.15.3 allows a remote attacker to escalate privileges via the initialization interface /auth/register.

Exploits (1)

nomisec WORKING POC 1 stars

by ainrm · poc

https://github.com/ainrm/Jrohy-trojan-unauth-poc

View Code ZIP pw:eip

This PoC exploits an unauthenticated password modification vulnerability in Jrohy/trojan (v2.0.0 - v2.15.3) by sending a POST request to `/auth/register` to change the admin password without authentication. The exploit hashes the password using SHA-224 and sends it to the target endpoint.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Jrohy/trojan v2.0.0 - v2.15.3

No auth needed

Prerequisites: Network access to the target's `/auth/register` endpoint

MITRE ATT&CK

T1110.001 - Password Guessing

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://github.com/ainrm/Jrohy-trojan-unauth-poc/blob/main/README.en.md

View Exploit ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0127

EPSS Percentile 65.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-276

Status published

Products (1)

jrohy/trojan 2.0.0 - 2.15.3

Published Feb 07, 2025

Tracked Since Feb 18, 2026