CVE-2026-25791 is a vulnerability in the Sliver command and control (C2) framework developed by BishopFox, specifically affecting versions prior to 1.7.0. Sliver uses a custom Wireguard-based network stack and supports a DNS C2 listener that facilitates communication between the C2 server and agents. The vulnerability arises because the DNS C2 listener accepts Time-based One-Time Password (TOTP) bootstrap messages without authenticating them, even when the EnforceOTP feature is enabled. This lack of authentication (CWE-306) allows an unauthenticated remote attacker to send arbitrary bootstrap messages that cause the server to allocate DNS sessions without validating the OTP values. Furthermore, these sessions are stored indefinitely without any cleanup or expiry mechanism, leading to uncontrolled resource consumption (CWE-400 - Uncontrolled Resource Consumption). An attacker can exploit this by repeatedly sending bootstrap messages to create numerous DNS sessions, ultimately exhausting the server's memory and causing a denial of service (DoS) condition. The vulnerability does not compromise confidentiality or integrity but severely impacts availability. Exploitation requires no privileges or user interaction and can be performed remotely over the network. The issue was publicly disclosed and fixed in Sliver version 1.7.0, which implements proper OTP validation and session management to prevent memory exhaustion.

For European organizations, particularly those involved in cybersecurity operations, red teaming, or offensive security exercises that utilize the Sliver framework, this vulnerability poses a significant risk to operational availability. An attacker can remotely induce a denial of service on the C2 infrastructure by exhausting memory resources, potentially disrupting ongoing security assessments or incident response activities. This disruption could delay threat detection and mitigation efforts, increasing exposure to other threats. Critical infrastructure sectors such as energy, finance, and telecommunications that may employ Sliver for internal security testing could face operational interruptions. Additionally, organizations relying on Sliver in multi-tenant or cloud environments risk collateral impact if the vulnerability is exploited. Although no known exploits are currently reported in the wild, the ease of exploitation and lack of authentication requirements make this a credible threat. The absence of confidentiality or integrity impact limits data breach concerns but does not diminish the operational risks associated with availability loss.

European organizations should immediately upgrade all Sliver deployments to version 1.7.0 or later, where the vulnerability is patched. Until upgrades are complete, implement network-level controls to restrict access to the DNS C2 listener, limiting it to trusted IP addresses and internal networks to reduce exposure to unauthenticated remote attackers. Monitor DNS session creation rates and memory usage on Sliver servers to detect abnormal spikes indicative of exploitation attempts. Employ rate limiting or firewall rules to throttle excessive bootstrap message traffic. Conduct regular audits of C2 infrastructure configurations to ensure EnforceOTP is properly enabled and functioning as intended. For organizations using Sliver in cloud or shared environments, isolate C2 servers to prevent resource exhaustion from affecting other tenants. Finally, incorporate this vulnerability into incident response playbooks and train security teams to recognize signs of exploitation.