This writeup details a policy restriction bypass in CyberArk PSMP <=10.9.1, where crafted SSH connection strings can evade recording mechanisms (keystroke, SSH text, and video) by injecting a reverse shell command. The vulnerability leverages improper input validation in the PSMP server, allowing commands executed in the reverse shell to remain unmonitored.
Classification
Writeup 90%
Target:
CyberArk Privileged Session Manager (PSMP) <=10.9.1
Auth required
Prerequisites:
Access to a valid CyberArk vault username · PSMP policy allowing PSMRemoteMachine overwrite · SSH access to the PSMP server