CVE-2026-25760 is a path traversal vulnerability classified under CWE-22 found in the Sliver command and control (C2) framework developed by BishopFox. Sliver uses a custom Wireguard netstack to facilitate secure communications between operators and implants. Prior to version 1.6.11, the website content subsystem of Sliver improperly limits pathname inputs, allowing an authenticated operator to perform path traversal attacks. This vulnerability enables the attacker to read arbitrary files on the server hosting Sliver, bypassing intended directory restrictions. Since the attacker must be an authenticated operator, the threat actor already has some level of access, but this flaw significantly escalates their ability to access sensitive data. The arbitrary file read can expose critical information such as credentials, configuration files, and cryptographic keys, which could be leveraged for further compromise or lateral movement. The vulnerability does not affect the integrity or availability of the system directly but compromises confidentiality. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, required privileges, no user interaction, unchanged scope, and high confidentiality impact. No public exploits or active exploitation have been reported to date. The issue is resolved in Sliver version 1.6.11, which properly sanitizes and restricts pathname inputs in the website content subsystem.

For European organizations, the impact of CVE-2026-25760 centers on the potential exposure of sensitive operational data within Sliver C2 servers. Organizations using Sliver for red teaming, penetration testing, or adversary simulation could have their internal credentials, configuration files, and cryptographic keys exposed if an attacker gains authenticated operator access. This could lead to unauthorized access to other internal systems, compromise of simulated attack infrastructure, and leakage of sensitive security tooling details. While the vulnerability requires authenticated access, insider threats or compromised operator credentials could enable exploitation. The confidentiality breach could undermine trust in security assessments and expose organizations to further attacks. Given Sliver's use in offensive security, the exposure of keys and configs could also aid threat actors in mimicking or evading detection by leveraging stolen C2 infrastructure details. European critical infrastructure sectors and large enterprises that rely on advanced red teaming tools are particularly at risk. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially if attackers develop exploits or insider threats emerge.

The primary mitigation is to upgrade all Sliver instances to version 1.6.11 or later, where the path traversal vulnerability is fixed. Organizations should implement strict access controls to limit operator accounts to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Regularly audit operator activity logs for suspicious file access patterns that may indicate exploitation attempts. Network segmentation should be employed to isolate Sliver servers from broader enterprise networks to limit lateral movement if compromised. Additionally, encrypt sensitive configuration files and keys at rest to reduce the impact of arbitrary file reads. Employ runtime application self-protection (RASP) or web application firewalls (WAF) that can detect and block path traversal attempts targeting the website content subsystem. Finally, conduct periodic security reviews of offensive security tooling environments to ensure they are patched and securely configured.