CVE-2026-25760 is a path traversal vulnerability classified under CWE-22 affecting the Sliver command and control (C2) framework developed by BishopFox. Sliver leverages a custom Wireguard netstack to facilitate covert communications for red team operations. The vulnerability exists in the website content subsystem of Sliver versions prior to 1.6.11, where insufficient validation of file path inputs allows an authenticated operator to traverse directories outside the intended restricted directory. This flaw enables arbitrary file read on the Sliver server host, potentially exposing sensitive files such as credential stores, configuration files, private keys, and other critical data. Exploitation requires authenticated operator-level access but no additional user interaction, and the attack vector is network-based. The CVSS v3.1 score is 6.5 (medium severity), reflecting the ease of exploitation given authentication and the high confidentiality impact due to exposure of sensitive information. The vulnerability has been addressed in Sliver version 1.6.11, which implements proper pathname restrictions to prevent directory traversal. No known public exploits or active exploitation campaigns have been reported to date. However, given Sliver’s use in offensive security and red team engagements, compromised credentials or keys could facilitate unauthorized access or lateral movement within targeted environments.

For European organizations, the impact of this vulnerability is primarily the unauthorized disclosure of sensitive information stored on Sliver C2 servers, including credentials, configuration data, and cryptographic keys. This exposure could lead to compromise of red team infrastructure, enabling attackers to hijack or manipulate offensive security operations, potentially masking malicious activity or escalating privileges within the network. Organizations relying on Sliver for internal security testing or adversary simulation risk operational security breaches if this vulnerability is exploited. Additionally, leaked credentials or keys could be repurposed by threat actors to gain persistent access or pivot to other critical systems. The confidentiality impact is high, while integrity and availability remain unaffected. Since exploitation requires authenticated operator access, the threat is mitigated somewhat by access controls, but insider threats or compromised operator accounts increase risk. The network-based attack vector means remote exploitation is feasible once authentication is obtained, emphasizing the need for strong operator account security. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

European organizations should immediately upgrade all Sliver deployments to version 1.6.11 or later to remediate this vulnerability. Beyond patching, organizations should enforce strict access controls and multi-factor authentication (MFA) for all operator accounts to reduce the risk of unauthorized access. Regularly audit operator activity logs to detect anomalous file access patterns indicative of exploitation attempts. Segregate Sliver infrastructure from critical production environments to limit potential lateral movement if compromised. Employ network segmentation and firewall rules to restrict access to Sliver servers only to authorized personnel and systems. Rotate all credentials, keys, and configuration files stored on Sliver servers after patching to invalidate any potentially exposed secrets. Conduct periodic security assessments of red team tools and infrastructure to identify and remediate similar vulnerabilities proactively. Finally, maintain up-to-date incident response plans that include scenarios involving compromise of offensive security tools.