CVE-2026-34227 affects Sliver, a command and control framework utilizing a custom Wireguard netstack. This vulnerability allows an unauthenticated attacker to seize control of all active C2 sessions and beacons with a single click on a malicious link. Versions of Sliver prior to 1.7.4 are vulnerable, and a patch is available in version 1.7.4.
The impact of CVE-2026-34227 is exceptionally severe. An attacker can silently take over every active Sliver C2 session, effectively gaining complete control over the compromised infrastructure. This includes the ability to exfiltrate sensitive data such as SSH keys and ntds.dit files, or completely destroy the environment. The attack vector is remarkably simple – a single malicious link clicked in the operator's browser is all it takes to compromise the entire system. This bypasses authentication entirely, making it a highly effective and dangerous attack.
CVE-2026-34227 was publicly disclosed on 2026-03-31. No public proof-of-concept (PoC) code has been released as of this writing, but the simplicity of the attack vector suggests a high probability of exploitation. The vulnerability has not been added to the CISA KEV catalog yet, but its severity warrants close monitoring. Active campaigns targeting Sliver are possible given the ease of exploitation.
Organizations using Sliver for penetration testing or red teaming activities are particularly at risk. Those with shared Sliver deployments or those who allow operators to use personal browsers for Sliver management are also at increased risk due to the ease of exploitation via malicious links.
• linux / server: Monitor Sliver logs for unusual activity or unauthorized session creations. Use journalctl -u sliver to review logs for suspicious patterns.
journalctl -u sliver -f | grep -i "session created" • generic web: Monitor web traffic for requests containing malicious URLs that could trigger the vulnerability. Use curl to inspect the response of potentially malicious links.
curl -I <malicious_url>• go: Examine Sliver binaries for modifications or suspicious code. Use go build -gcflags="-m" sliver to see memory allocation patterns.
disclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-34227 is to immediately upgrade Sliver to version 1.7.4 or later. If upgrading is not immediately feasible, consider isolating vulnerable Sliver instances from external networks to prevent exposure to malicious links. While a direct workaround is unavailable, implementing strict browser security policies and user awareness training to prevent clicking suspicious links can reduce the risk. After upgrading, verify the fix by attempting to trigger a session takeover with a known malicious link – it should fail.
将 Sliver 更新到 1.7.4 或更高版本。此版本修复了不安全的 CORS 漏洞和未认证的 MCP 接口,防止未经授权的远程访问以及潜在的数据泄露或破坏。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-34227 is a critical vulnerability in Sliver versions ≤ 1.7.4 that allows an unauthenticated attacker to silently take control of all active C2 sessions via a malicious link.
If you are using Sliver version 1.7.4 or earlier, you are vulnerable to this attack. Immediately assess your environment and prioritize upgrading.
The fix is to upgrade to Sliver version 1.7.4 or later. If upgrading is not immediately possible, isolate vulnerable instances and implement browser security policies.
While no public exploits are currently known, the simplicity of the attack vector suggests a high probability of exploitation. Monitor your environment closely.
Refer to the official Sliver project's security advisories for the most up-to-date information and guidance: [https://github.com/sliver-team/sliver/security/advisories](https://github.com/sliver-team/sliver/security/advisories)
上传你的 go.mod 文件,立即知道是否受影响。