DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-2286-HXV5-CMP2: Sliver of Truth: Exposing the C2 Server via Path Traversal

#security #cve #cybersecurity #ghsa

Sliver of Truth: Exposing the C2 Server via Path Traversal

Vulnerability ID: GHSA-2286-HXV5-CMP2
CVSS Score: 6.5
Published: 2026-02-05

Bishop Fox Sliver, a premier command and control framework, suffers from an authenticated path traversal vulnerability in its website management subsystem. By manipulating the logical path of hosted content, an operator can coerce the server into reading arbitrary files from the host filesystem. This turns the hunters into the hunted, allowing low-privileged operators to exfiltrate sensitive server configurations, SSH keys, or system credentials.

TL;DR

Authenticated operators on a Sliver C2 server (v1.6.10 and below) can read arbitrary files on the host system by using directory traversal sequences (../) in the WebsiteAddContent RPC. Fixed in v1.6.11.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: N/A (GHSA-2286-HXV5-CMP2)
  • CVSS v3.1: 6.5 (Medium)
  • Attack Vector: Network (Authenticated gRPC)
  • CWE: CWE-22 (Path Traversal)
  • Impact: Arbitrary File Read
  • Privileges Required: Low (Operator)

Affected Systems

  • Bishop Fox Sliver Server < 1.6.11
  • Sliver: < 1.6.11 (Fixed in: 1.6.11)

Code Analysis

Commit: 8181273

Fix path traversal in website content loading

@@ -52,7 +52,10 @@ func (w *Website) BeforeCreate(tx *gorm.DB) (err error) {
 func (w *Website) ToProtobuf(webContentDir string) *clientpb.Website {
    WebContents := map[string]*clientpb.WebContent{}
    for _, webcontent := range w.WebContents {
-       contents, _ := os.ReadFile(filepath.Join(webContentDir, webcontent.Path))
+       contents, err := os.ReadFile(filepath.Join(webContentDir, webcontent.ID.String()))
+       if err != nil {
+           continue
+       }
        WebContents[webcontent.ID.String()] = webcontent.ToProtobuf(&contents)
    }
    return &clientpb.Website{
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GHSA: Proof of Concept in Go demonstrating /etc/hosts read

Mitigation Strategies

  • Input Validation
  • Least Privilege
  • Containerization

Remediation Steps:

  1. Upgrade Bishop Fox Sliver to version v1.6.11 or later immediately.
  2. If immediate patching is impossible, restrict access to the Website and WebsiteAddContent RPC commands via the RBAC system.
  3. Ensure the Sliver server process is NOT running as root. Create a dedicated sliver user with limited filesystem access.

References

Read the full report for GHSA-2286-HXV5-CMP2 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)