MediumPublic exploit

Sliver C2 WireGuard netstack unrestricted client-to-client access

IdentifiersCVE-2025-27093CWE-284· Improper Access Control

CVE-2025-27093 affects the Sliver command-and-control framework’s custom WireGuard netstack in versions 1.5.43 and earlier, as well as the 1.6.0-dev development version. The vulnerable netstack does not enforce traffic restrictions between WireGuard clients, allowing peers on the Sliver WireGuard network to communicate with each other without intended isolation. As a result, compromised or additional WireGuard clients can reach services exposed by other clients, including operator-host services bound to the WireGuard interface, and can access port forwards that were expected to be limited. The issue is effectively a missing authorization/network-segmentation control within the WireGuard client mesh, rather than a memory corruption flaw.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unrestricted lateral network access between Sliver WireGuard clients. This can expose operator systems and other connected clients to scanning, direct connection attempts, and exploitation of services such as RDP, SSH, or SMB if those services are reachable via the WireGuard interface. The advisory notes potential information disclosure and remote code execution on operator machines depending on what services are exposed. In addition, leaked or recovered beacon WireGuard keypairs can be reused to instantiate rogue clients, maintain persistence within the WireGuard network, and access port-forwarded services from other implants.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, enforce a default-deny posture between WireGuard clients and permit only explicitly required flows. Apply host-based firewall rules on operator systems to block or tightly restrict inbound access on the WireGuard interface, especially for management services such as RDP, SSH, and SMB. Avoid binding sensitive services to 0.0.0.0 when that makes them reachable through the WireGuard interface. Limit or disable WireGuard-based port forwarding where feasible. Reduce the risk of key reuse by protecting beacon processes from memory or process dumping and restricting access to systems from which WireGuard private keys could be recovered.

Remediation

Patch, then assume compromise.

Upgrade Sliver to version 1.5.44 or later, which fixes the netstack behavior. All deployments using Sliver WireGuard functionality should be updated. After upgrading, review WireGuard peer isolation assumptions, validate that client-to-client traffic is appropriately restricted, and reassess operator host firewall policy and service bindings to ensure sensitive services are not unnecessarily exposed over the WireGuard interface.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Bishop FoxSliverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

ctoatncsc substackNews

Nov 29, 2025

CTO at NCSC Summary: week ending November 30th

A vulnerability in the Sliver C2 framework (<= 1.5.43) where its WireGuard-based netstack fails to restrict east-west traffic between WireGuard clients, enabling unintended implant-to-implant/operator reachability and potential abuse of leaked/recovered keys or exposed port forwards.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-27093

NVD

nvd.nist.gov/vuln/detail/CVE-2025-27093

MITRE CWE · CWE-284

Improper Access Control

github.com

github.com/BishopFox/sliver/commit/8e5c5f14506d6d60ebb3362e6b9857ab1e0d76ff

github.com

github.com/BishopFox/sliver/commit/9122878cbbcae543eb8210f616550382af2065fd

github.com

github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7