EIP-2026-103888

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-103888. PoCs published by LAHBAL Said.

AI-analyzed exploit summary This writeup details a policy restriction bypass in CyberArk PSMP <=10.9.1, where crafted SSH connection strings can evade recording mechanisms (keystroke, SSH text, and video) by injecting a reverse shell command. The vulnerability leverages improper input validation in the PSMP server, allowing commands executed in the reverse shell to remain unmonitored.

Description

CyberArk PSMP 10.9.1 - Policy Restriction Bypass

Exploits (1)

exploitdb WRITEUP

by LAHBAL Said · textremotemultiple

https://www.exploit-db.com/exploits/48239

View Code ZIP pw:eip

This writeup details a policy restriction bypass in CyberArk PSMP <=10.9.1, where crafted SSH connection strings can evade recording mechanisms (keystroke, SSH text, and video) by injecting a reverse shell command. The vulnerability leverages improper input validation in the PSMP server, allowing commands executed in the reverse shell to remain unmonitored.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: CyberArk Privileged Session Manager (PSMP) <=10.9.1

Auth required

Prerequisites: Access to a valid CyberArk vault username · PSMP policy allowing PSMRemoteMachine overwrite · SSH access to the PSMP server

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1090 - Proxy

devstral-2 · analyzed Feb 18, 2026 Full analysis →

CyberArk PSMP 10.9.1 - Policy Restriction Bypass

Exploitation Summary

Description

Exploits (1)

Details