Platform
go
Component
sliver
Fixed in
1.7.5
CVE-2026-34227 affects Sliver, a command and control framework utilizing a custom Wireguard netstack. This vulnerability allows an unauthenticated attacker to seize control of all active C2 sessions and beacons with a single click on a malicious link. Versions of Sliver prior to 1.7.4 are vulnerable, and a patch is available in version 1.7.4.
The impact of CVE-2026-34227 is exceptionally severe. An attacker can silently take over every active Sliver C2 session, effectively gaining complete control over the compromised infrastructure. This includes the ability to exfiltrate sensitive data such as SSH keys and ntds.dit files, or completely destroy the environment. The attack vector is remarkably simple – a single malicious link clicked in the operator's browser is all it takes to compromise the entire system. This bypasses authentication entirely, making it a highly effective and dangerous attack.
CVE-2026-34227 was publicly disclosed on 2026-03-31. No public proof-of-concept (PoC) code has been released as of this writing, but the simplicity of the attack vector suggests a high probability of exploitation. The vulnerability has not been added to the CISA KEV catalog yet, but its severity warrants close monitoring. Active campaigns targeting Sliver are possible given the ease of exploitation.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
The primary mitigation for CVE-2026-34227 is to immediately upgrade Sliver to version 1.7.4 or later. If upgrading is not immediately feasible, consider isolating vulnerable Sliver instances from external networks to prevent exposure to malicious links. While a direct workaround is unavailable, implementing strict browser security policies and user awareness training to prevent clicking suspicious links can reduce the risk. After upgrading, verify the fix by attempting to trigger a session takeover with a known malicious link – it should fail.
Update Sliver to version 1.7.4 or later. This version fixes the insecure CORS and unauthenticated MCP interface vulnerabilities, preventing unauthorized remote access and potential data exfiltration or destruction.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34227 is a critical vulnerability in Sliver versions ≤ 1.7.4 that allows an unauthenticated attacker to silently take control of all active C2 sessions via a malicious link.
If you are using Sliver version 1.7.4 or earlier, you are vulnerable to this attack. Immediately assess your environment and prioritize upgrading.
The fix is to upgrade to Sliver version 1.7.4 or later. If upgrading is not immediately possible, isolate vulnerable instances and implement browser security policies.
While no public exploits are currently known, the simplicity of the attack vector suggests a high probability of exploitation. Monitor your environment closely.
Refer to the official Sliver project's security advisories for the most up-to-date information and guidance: [https://github.com/sliver-team/sliver/security/advisories](https://github.com/sliver-team/sliver/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.