VDB
GCVE-110-OSM-2026-1171
GCVE-110-OSM-2026-1171
Advisory PublishedCVSS 8.8/10
Installs a full remote access trojan that connects to attacker-controlled WebSocket C2 at wss://vortix.onrender.com, enabling arbitrary command execution, real-time screen capture, bidirectional file transfer, and cross-platform persistence installation. The C2 operator can remotely enable persistence (macOS LaunchAgent, Windows Task Scheduler, Linux systemd) without further user interaction.
agent/agent.js connects via WebSocket to wss://vortix.onrender.com?token=device-{hostname}:{password}. Handles: EXECUTE (exec shell commands, streams stdout/stderr), START_SCREEN_CAPTURE (screenshot-desktop at 1fps, sends JPEG as base64), DOWNLOAD_FILE (fs.readFileSync any path, returns base64), UPLOAD_FILE (writes arbitrary files), ENABLE_AUTOSTART (installs platform-specific persistence). Auto-reconnects every 5 seconds on disconnect. Platform-specific persistence: macOS writes ~/Library/LaunchAgents/com.vortix.agent.plist with KeepAlive=true.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | vortix | 1.0.0 through 1.2.1 (affected) | — |
Browse GCVE Records
73,866 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.