Plataforma
python
Componente
empire
Corregido en
5.9.3
CVE-2024-6127 is a critical Remote Code Execution (RCE) vulnerability affecting BC Security Empire versions prior to 5.9.3. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on a target system by exploiting a path traversal flaw during payload uploads. Successful exploitation requires the attacker to act as a normal agent, complete cryptographic handshakes, and then upload a malicious payload containing a crafted path. Upgrade to version 5.9.3 to resolve this issue.
The impact of CVE-2024-6127 is severe. An attacker can achieve full remote code execution on a compromised Empire agent. This allows them to execute arbitrary commands, steal sensitive data, install malware, and potentially pivot to other systems within the network. Given Empire's role as a post-exploitation framework, this vulnerability provides a direct pathway to compromise and control targeted environments. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. This vulnerability shares similarities with other path traversal exploits where attackers manipulate file paths to access unauthorized resources.
CVE-2024-6127 was publicly disclosed on 2024-06-27. No known public proof-of-concept (POC) exploits are currently available, but the vulnerability's severity and ease of exploitation suggest it is likely to be targeted. Its inclusion in Empire, a widely used post-exploitation framework, increases the risk of exploitation. The EPSS score is likely to be medium to high, reflecting the potential for widespread exploitation.
Organizations using Empire for penetration testing or red teaming activities are particularly at risk. Security teams relying on Empire for post-exploitation tasks, especially those running older, unpatched versions, are also vulnerable. Shared hosting environments where multiple users share the same Empire instance could also be affected, as an attacker could potentially compromise the entire environment.
• python: Monitor Empire agent logs for unusual file upload attempts or unexpected command execution. Use Get-Process to identify Empire processes and check their command-line arguments for suspicious activity.
Get-Process -Name Empire -FileVersionInfo | Select-Object -ExpandProperty FileVersion• linux / server: Examine system logs (e.g., /var/log/syslog, /var/log/auth.log) for evidence of unauthorized file uploads or command execution. Use lsof to identify processes accessing unusual files.
lsof | grep Empire• generic web: Monitor web server access logs for requests containing path traversal sequences (e.g., ../).
disclosure
Estado del Exploit
EPSS
66.11% (99% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2024-6127 is to immediately upgrade Empire to version 5.9.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file upload locations and validating user-supplied input to prevent path traversal attempts. Network segmentation can also limit the potential blast radius of a successful exploit. Monitor Empire agent activity for suspicious file uploads or command execution patterns. While a WAF might offer some protection, it is unlikely to be sufficient given the nature of the vulnerability.
Actualice BC Security Empire a la versión 5.9.3 o posterior. Esta versión contiene la corrección para la vulnerabilidad de recorrido de ruta. La actualización se puede realizar descargando la nueva versión desde el repositorio oficial y reemplazando los archivos existentes.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2024-6127 is a critical RCE vulnerability in Empire versions 0–5.9.3, allowing unauthenticated attackers to execute code via path traversal during payload uploads.
If you are using Empire versions prior to 5.9.3, you are vulnerable to this RCE exploit. Immediately check your version and upgrade if necessary.
The recommended fix is to upgrade Empire to version 5.9.3 or later. If upgrading is not possible, implement temporary workarounds like restricting file upload locations.
While no public exploits are currently available, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted soon.
Refer to the BC Security advisory for detailed information and updates: [https://bc-security.com/releases/empire-5.9.3/](https://bc-security.com/releases/empire-5.9.3/)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo requirements.txt y te decimos al instante si estás afectado.