Platform
go
Component
sliver
Opgelost in
1.7.5
CVE-2026-34227 affects Sliver, a command and control framework utilizing a custom Wireguard netstack. This vulnerability allows an unauthenticated attacker to seize control of all active C2 sessions and beacons with a single click on a malicious link. Versions of Sliver prior to 1.7.4 are vulnerable, and a patch is available in version 1.7.4.
The impact of CVE-2026-34227 is exceptionally severe. An attacker can silently take over every active Sliver C2 session, effectively gaining complete control over the compromised infrastructure. This includes the ability to exfiltrate sensitive data such as SSH keys and ntds.dit files, or completely destroy the environment. The attack vector is remarkably simple – a single malicious link clicked in the operator's browser is all it takes to compromise the entire system. This bypasses authentication entirely, making it a highly effective and dangerous attack.
CVE-2026-34227 was publicly disclosed on 2026-03-31. No public proof-of-concept (PoC) code has been released as of this writing, but the simplicity of the attack vector suggests a high probability of exploitation. The vulnerability has not been added to the CISA KEV catalog yet, but its severity warrants close monitoring. Active campaigns targeting Sliver are possible given the ease of exploitation.
Organizations using Sliver for penetration testing or red teaming activities are particularly at risk. Those with shared Sliver deployments or those who allow operators to use personal browsers for Sliver management are also at increased risk due to the ease of exploitation via malicious links.
• linux / server: Monitor Sliver logs for unusual activity or unauthorized session creations. Use journalctl -u sliver to review logs for suspicious patterns.
journalctl -u sliver -f | grep -i "session created" • generic web: Monitor web traffic for requests containing malicious URLs that could trigger the vulnerability. Use curl to inspect the response of potentially malicious links.
curl -I <malicious_url>• go: Examine Sliver binaries for modifications or suspicious code. Use go build -gcflags="-m" sliver to see memory allocation patterns.
disclosure
Exploit Status
EPSS
0.02% (5% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-34227 is to immediately upgrade Sliver to version 1.7.4 or later. If upgrading is not immediately feasible, consider isolating vulnerable Sliver instances from external networks to prevent exposure to malicious links. While a direct workaround is unavailable, implementing strict browser security policies and user awareness training to prevent clicking suspicious links can reduce the risk. After upgrading, verify the fix by attempting to trigger a session takeover with a known malicious link – it should fail.
Actualice Sliver a la versión 1.7.4 o posterior. Esta versión corrige las vulnerabilidades de CORS inseguro y la interfaz MCP no autenticada, evitando el acceso remoto no autorizado y la posible exfiltración o destrucción de datos.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-34227 is a critical vulnerability in Sliver versions ≤ 1.7.4 that allows an unauthenticated attacker to silently take control of all active C2 sessions via a malicious link.
If you are using Sliver version 1.7.4 or earlier, you are vulnerable to this attack. Immediately assess your environment and prioritize upgrading.
The fix is to upgrade to Sliver version 1.7.4 or later. If upgrading is not immediately possible, isolate vulnerable instances and implement browser security policies.
While no public exploits are currently known, the simplicity of the attack vector suggests a high probability of exploitation. Monitor your environment closely.
Refer to the official Sliver project's security advisories for the most up-to-date information and guidance: [https://github.com/sliver-team/sliver/security/advisories](https://github.com/sliver-team/sliver/security/advisories)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je go.mod-bestand en we vertellen je direct of je getroffen bent.