CVE-2026-25791 – This vulnerability in Sliver C2 framework allow... (How to Fix)

Q: What is the severity of CVE-2026-25791?

CVE-2026-25791 has a CVSS score of 7.5 (HIGH). This vulnerability in Sliver C2 framework allows unauthenticated attackers to create unlimited DNS sessions without OTP validation, leading to memory exhaustion and denial of service. It affects Sliver installations using DNS C2 listeners with EnforceOTP enabled. Attackers can exploit this remotely without authentication.

📋 TL;DR

This vulnerability in Sliver C2 framework allows unauthenticated attackers to create unlimited DNS sessions without OTP validation, leading to memory exhaustion and denial of service. It affects Sliver installations using DNS C2 listeners with EnforceOTP enabled. Attackers can exploit this remotely without authentication.

💻 Affected Systems

Products:

Sliver C2 Framework

Versions: All versions prior to 1.7.0

Operating Systems: All platforms running Sliver

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using DNS C2 listeners with EnforceOTP enabled. Other listeners are not vulnerable.

📦 What is this software?

Sliver by Bishopfox

View all CVEs affecting Sliver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through memory exhaustion, potentially crashing the C2 server and losing all active implants/agents.

🟠

Likely Case

Degraded performance and eventual denial of service as memory is consumed by fake sessions, disrupting command and control operations.

🟢

If Mitigated

Limited impact if proper network segmentation and monitoring are in place to detect abnormal DNS traffic patterns.

🌐 Internet-Facing: HIGH - Attackers can exploit remotely without authentication via DNS requests.

🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires network access to the C2 server.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted DNS requests to the vulnerable listener. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.0

Vendor Advisory: https://github.com/BishopFox/sliver/security/advisories/GHSA-wxrw-gvg8-fqjp

Restart Required: Yes

Instructions:

1. Download Sliver v1.7.0 from GitHub releases. 2. Stop all Sliver services. 3. Replace existing Sliver binaries with v1.7.0. 4. Restart Sliver services.

🔧 Temporary Workarounds

Disable DNS C2 Listener

all

Temporarily disable the vulnerable DNS C2 listener until patching is complete.

sliver > listeners rm [DNS_LISTENER_NAME]

Network ACL Restriction

all

Restrict DNS traffic to trusted sources only using firewall rules.

🧯 If You Can't Patch

Implement strict network segmentation to isolate C2 infrastructure
Deploy memory monitoring and alerting for abnormal consumption patterns

🔍 How to Verify

Check if Vulnerable:

Check Sliver version and verify if DNS C2 listener is running with EnforceOTP enabled.

Check Version:

sliver version

Verify Fix Applied:

Verify Sliver version is 1.7.0 or higher using version command.

📡 Detection & Monitoring

Log Indicators:

Abnormal increase in DNS session creation
Memory exhaustion alerts from Sliver process

Network Indicators:

High volume of DNS requests to C2 listener from single/untrusted sources
DNS requests with TOTP bootstrap patterns

SIEM Query:

source="sliver" AND (event="session_created" OR event="memory_warning") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2026-25791

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-306

EPSS Score: 0.04% exploit probability (12.2th percentile)

Published: February 9, 2026

Last Updated: February 23, 2026

🔗 References

https://github.com/BishopFox/sliver/releases/tag/v1.7.0 Product,Release Notes
https://github.com/BishopFox/sliver/security/advisories/GHSA-wxrw-gvg8-fqjp Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25791, you might also want to check these: