CVE-2025-27093 (GCVE-0-2025-27093)
Vulnerability from cvelistv5
Published
2025-10-28 19:29
Modified
2025-10-29 17:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
Sliver is a command and control framework that uses a custom Wireguard netstack. In versions 1.5.43 and earlier, and in development version 1.6.0-dev, the netstack does not limit traffic between Wireguard clients. This allows clients to communicate with each other unrestrictedly, potentially enabling leaked or recovered keypairs to be used to attack operators or allowing port forwardings to be accessible from other implants.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27093",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-29T17:43:49.558008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T17:43:54.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sliver",
"vendor": "BishopFox",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.5.43"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sliver is a command and control framework that uses a custom Wireguard netstack. In versions 1.5.43 and earlier, and in development version 1.6.0-dev, the netstack does not limit traffic between Wireguard clients. This allows clients to communicate with each other unrestrictedly, potentially enabling leaked or recovered keypairs to be used to attack operators or allowing port forwardings to be accessible from other implants."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T19:29:16.147Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7"
},
{
"name": "https://github.com/BishopFox/sliver/commit/8e5c5f14506d6d60ebb3362e6b9857ab1e0d76ff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BishopFox/sliver/commit/8e5c5f14506d6d60ebb3362e6b9857ab1e0d76ff"
},
{
"name": "https://github.com/BishopFox/sliver/commit/9122878cbbcae543eb8210f616550382af2065fd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BishopFox/sliver/commit/9122878cbbcae543eb8210f616550382af2065fd"
}
],
"source": {
"advisory": "GHSA-q8j9-34qf-7vq7",
"discovery": "UNKNOWN"
},
"title": "Sliver does not restricted traffic between Wireguard clients."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27093",
"datePublished": "2025-10-28T19:29:16.147Z",
"dateReserved": "2025-02-18T16:44:48.764Z",
"dateUpdated": "2025-10-29T17:43:54.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-27093\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-10-28T20:15:47.897\",\"lastModified\":\"2025-10-30T15:05:32.197\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sliver is a command and control framework that uses a custom Wireguard netstack. In versions 1.5.43 and earlier, and in development version 1.6.0-dev, the netstack does not limit traffic between Wireguard clients. This allows clients to communicate with each other unrestrictedly, potentially enabling leaked or recovered keypairs to be used to attack operators or allowing port forwardings to be accessible from other implants.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"references\":[{\"url\":\"https://github.com/BishopFox/sliver/commit/8e5c5f14506d6d60ebb3362e6b9857ab1e0d76ff\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/BishopFox/sliver/commit/9122878cbbcae543eb8210f616550382af2065fd\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27093\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-29T17:43:49.558008Z\"}}}], \"references\": [{\"url\": \"https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-29T17:43:42.804Z\"}}], \"cna\": {\"title\": \"Sliver does not restricted traffic between Wireguard clients.\", \"source\": {\"advisory\": \"GHSA-q8j9-34qf-7vq7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"BishopFox\", \"product\": \"sliver\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 1.5.43\"}]}], \"references\": [{\"url\": \"https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7\", \"name\": \"https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/BishopFox/sliver/commit/8e5c5f14506d6d60ebb3362e6b9857ab1e0d76ff\", \"name\": \"https://github.com/BishopFox/sliver/commit/8e5c5f14506d6d60ebb3362e6b9857ab1e0d76ff\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/BishopFox/sliver/commit/9122878cbbcae543eb8210f616550382af2065fd\", \"name\": \"https://github.com/BishopFox/sliver/commit/9122878cbbcae543eb8210f616550382af2065fd\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sliver is a command and control framework that uses a custom Wireguard netstack. In versions 1.5.43 and earlier, and in development version 1.6.0-dev, the netstack does not limit traffic between Wireguard clients. This allows clients to communicate with each other unrestrictedly, potentially enabling leaked or recovered keypairs to be used to attack operators or allowing port forwardings to be accessible from other implants.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-10-28T19:29:16.147Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-27093\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-29T17:43:54.102Z\", \"dateReserved\": \"2025-02-18T16:44:48.764Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-10-28T19:29:16.147Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
ghsa-q8j9-34qf-7vq7
Vulnerability from github
Published
2025-10-28 17:31
Modified
2025-10-29 14:47
Severity ?
VLAI Severity ?
Summary
Silver has unrestricted traffic between Wireguard clients
Details
Summary
Sliver's custom Wireguard netstack doesn't limit traffic between Wireguard clients, this could lead to: 1. Leaked/recovered keypair (from a beacon) being used to attack operators. 2. Port forwardings usable from other implants.
Details
-
Sliver treat operators' Wireguard config and beacon/session's Wireguard config equally, they both connect to the wireguard listener created from the CLI.
-
The current netstack implementation does not filter traffic between clients. I think this piece of code handle traffic between clients, from experimental results clients can ping and connect to each other freely, and I didn't see any filtering here either: ``` File: server\c2\wireguard.go 246: func socketWGWriteEnvelope(connection net.Conn, envelope *sliverpb.Envelope) error { 247: data, err := proto.Marshal(envelope) 248: if err != nil { 249: wgLog.Errorf("Envelope marshaling error: %v", err) 250: return err 251: } 252: dataLengthBuf := new(bytes.Buffer) 253: binary.Write(dataLengthBuf, binary.LittleEndian, uint32(len(data))) 254: connection.Write(dataLengthBuf.Bytes()) 255: connection.Write(data) 256: return nil 257: } 258:
``` 3. The docs says to use a Wireguard clients and operator wg-config to connect to the same WG listener as beacons: https://sliver.sh/docs?name=Port%20Forwarding
-
If the operator uses official wireguard clients that integrates with the OS's netstack (I'm using the Windows client) then their services are accessible on the wireguard interface's IP address (for example 100.64.0.3) when the services listen on 0.0.0.0 (SSH, RDP, SMB, etc)
-
The beacon's wireguard private key can be recovered through a process dump or other forensic techniques.
- When a private key is recovered, an attacker can connect to 100.64.0.1:1337 (key exchange listener) to generate new wireguard clients without the operators' knowledge, in that way achieve persistence inside the wireguard network.
PoC
Easy way: 1. Create 2 operators wireguard config. 2. Connect them both to the wireguard listener. 3. From one machine, ping/scan/connect to the other's services like RDP (3389), SSH (22), etc.
Slightly complicated way:
1. From the operator's machine, connect to the wireguard listener.
2. On the attacker's machine, run a beacon.
3. Dump the process
4. Find the private key, public key, endpoint, etc in the dump file:
- Construct a valid Wireguard config based on the strings found. On the attacker's machine, connect to the Wireguard listener.
- Ping/scan/connect to the other's services like RDP (3389), SSH (22), etc.
Impact
The operator's machine is impacted, if their services contain a vulnerability, an attacker can exploit it and gain RCE. If not then it could be used to gather information (Hostname, SSH signature, etc).
Suggestion
- Filter traffic between clients with a default-deny policy.
- Differentiate between operators and beacons' wireguard config/client
- Only allow specific one-way traffic when the operator request to open a Wireguard port forward.
Vulnerable versions
All versions containing wireguard functionality.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.5.43"
},
"package": {
"ecosystem": "Go",
"name": "github.com/BishopFox/sliver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.44"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27093"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-28T17:31:32Z",
"nvd_published_at": "2025-10-28T20:15:47Z",
"severity": "MODERATE"
},
"details": "### Summary\nSliver\u0027s custom Wireguard netstack doesn\u0027t limit traffic between Wireguard clients, this could lead to:\n1. Leaked/recovered keypair (from a beacon) being used to attack operators.\n2. Port forwardings usable from other implants.\n\n\n### Details\n1. Sliver treat operators\u0027 Wireguard config and beacon/session\u0027s Wireguard config equally, they both connect to the wireguard listener created from the CLI.\n\n2. The current netstack implementation does not filter traffic between clients. \nI think this piece of code handle traffic between clients, from experimental results clients can ping and connect to each other freely, and I didn\u0027t see any filtering here either:\n```\nFile: server\\c2\\wireguard.go\n246: func socketWGWriteEnvelope(connection net.Conn, envelope *sliverpb.Envelope) error {\n247: \tdata, err := proto.Marshal(envelope)\n248: \tif err != nil {\n249: \t\twgLog.Errorf(\"Envelope marshaling error: %v\", err)\n250: \t\treturn err\n251: \t}\n252: \tdataLengthBuf := new(bytes.Buffer)\n253: \tbinary.Write(dataLengthBuf, binary.LittleEndian, uint32(len(data)))\n254: \tconnection.Write(dataLengthBuf.Bytes())\n255: \tconnection.Write(data)\n256: \treturn nil\n257: }\n258: \n\n```\n3. The docs says to use a Wireguard clients and operator wg-config to connect to the same WG listener as beacons:\nhttps://sliver.sh/docs?name=Port%20Forwarding\n\n4. If the operator uses official wireguard clients that integrates with the OS\u0027s netstack (I\u0027m using the [Windows client](https://www.wireguard.com/install/)) then their services are accessible on the wireguard interface\u0027s IP address (for example 100.64.0.3) when the services listen on 0.0.0.0 (SSH, RDP, SMB, etc) \n\n\n5. The beacon\u0027s wireguard private key can be recovered through a process dump or other forensic techniques.\n6. When a private key is recovered, an attacker can connect to 100.64.0.1:1337 (key exchange listener) to generate new wireguard clients without the operators\u0027 knowledge, in that way achieve persistence inside the wireguard network.\n\n\n### PoC\nEasy way:\n1. Create 2 operators wireguard config.\n2. Connect them both to the wireguard listener.\n3. From one machine, ping/scan/connect to the other\u0027s services like RDP (3389), SSH (22), etc.\n\nSlightly complicated way:\n1. From the operator\u0027s machine, connect to the wireguard listener.\n2. On the attacker\u0027s machine, run a beacon.\n3. Dump the process\n4. Find the private key, public key, endpoint, etc in the dump file:\n\n\n\n\n\n5. Construct a valid Wireguard config based on the strings found. On the attacker\u0027s machine, connect to the Wireguard listener.\n6. Ping/scan/connect to the other\u0027s services like RDP (3389), SSH (22), etc.\n\n### Impact\nThe operator\u0027s machine is impacted, if their services contain a vulnerability, an attacker can exploit it and gain RCE. If not then it could be used to gather information (Hostname, SSH signature, etc).\n\n### Suggestion\n1. Filter traffic between clients with a default-deny policy.\n2. Differentiate between operators and beacons\u0027 wireguard config/client\n3. Only allow specific one-way traffic when the operator request to open a Wireguard port forward.\n\n### Vulnerable versions\nAll versions containing wireguard functionality.",
"id": "GHSA-q8j9-34qf-7vq7",
"modified": "2025-10-29T14:47:34Z",
"published": "2025-10-28T17:31:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27093"
},
{
"type": "WEB",
"url": "https://github.com/BishopFox/sliver/commit/8e5c5f14506d6d60ebb3362e6b9857ab1e0d76ff"
},
{
"type": "WEB",
"url": "https://github.com/BishopFox/sliver/commit/9122878cbbcae543eb8210f616550382af2065fd"
},
{
"type": "PACKAGE",
"url": "https://github.com/BishopFox/sliver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Silver has unrestricted traffic between Wireguard clients"
}
fkie_cve-2025-27093
Vulnerability from fkie_nvd
Published
2025-10-28 20:15
Modified
2025-10-30 15:05
Severity ?
Summary
Sliver is a command and control framework that uses a custom Wireguard netstack. In versions 1.5.43 and earlier, and in development version 1.6.0-dev, the netstack does not limit traffic between Wireguard clients. This allows clients to communicate with each other unrestrictedly, potentially enabling leaked or recovered keypairs to be used to attack operators or allowing port forwardings to be accessible from other implants.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/BishopFox/sliver/commit/8e5c5f14506d6d60ebb3362e6b9857ab1e0d76ff | ||
| security-advisories@github.com | https://github.com/BishopFox/sliver/commit/9122878cbbcae543eb8210f616550382af2065fd | ||
| security-advisories@github.com | https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7 | ||
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7 |
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sliver is a command and control framework that uses a custom Wireguard netstack. In versions 1.5.43 and earlier, and in development version 1.6.0-dev, the netstack does not limit traffic between Wireguard clients. This allows clients to communicate with each other unrestrictedly, potentially enabling leaked or recovered keypairs to be used to attack operators or allowing port forwardings to be accessible from other implants."
}
],
"id": "CVE-2025-27093",
"lastModified": "2025-10-30T15:05:32.197",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T20:15:47.897",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/BishopFox/sliver/commit/8e5c5f14506d6d60ebb3362e6b9857ab1e0d76ff"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/BishopFox/sliver/commit/9122878cbbcae543eb8210f616550382af2065fd"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…