VDB

GCVE-110-OSM-2026-1171

GCVE-110-OSM-2026-1171
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published February 12, 2026
Installs a full remote access trojan that connects to attacker-controlled WebSocket C2 at wss://vortix.onrender.com, enabling arbitrary command execution, real-time screen capture, bidirectional file transfer, and cross-platform persistence installation. The C2 operator can remotely enable persistence (macOS LaunchAgent, Windows Task Scheduler, Linux systemd) without further user interaction. agent/agent.js connects via WebSocket to wss://vortix.onrender.com?token=device-{hostname}:{password}. Handles: EXECUTE (exec shell commands, streams stdout/stderr), START_SCREEN_CAPTURE (screenshot-desktop at 1fps, sends JPEG as base64), DOWNLOAD_FILE (fs.readFileSync any path, returns base64), UPLOAD_FILE (writes arbitrary files), ENABLE_AUTOSTART (installs platform-specific persistence). Auto-reconnects every 5 seconds on disconnect. Platform-specific persistence: macOS writes ~/Library/LaunchAgents/com.vortix.agent.plist with KeepAlive=true.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownvortix1.0.0 through 1.2.1 (affected)

References

vendor

Browse GCVE Records

73,866 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›