{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25791", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T19:58:01.639Z", "datePublished": "2026-02-09T20:34:31.144Z", "dateUpdated": "2026-02-10T15:59:20.819Z"}, "containers": {"cna": {"title": "Sliver has a DNS C2 OTP Bypass Allows Unauthenticated Session Flooding and Denial of Service", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/BishopFox/sliver/security/advisories/GHSA-wxrw-gvg8-fqjp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-wxrw-gvg8-fqjp"}, {"name": "https://github.com/BishopFox/sliver/releases/tag/v1.7.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/BishopFox/sliver/releases/tag/v1.7.0"}], "affected": [{"vendor": "BishopFox", "product": "sliver", "versions": [{"version": "< 1.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T20:34:31.144Z"}, "descriptions": [{"lang": "en", "value": "Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion. This vulnerability is fixed in 1.7.0."}], "source": {"advisory": "GHSA-wxrw-gvg8-fqjp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:39:42.592936Z", "id": "CVE-2026-25791", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:59:20.819Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25791", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:39:42.592936Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:39:43.729Z"}}], "cna": {"title": "Sliver has a DNS C2 OTP Bypass Allows Unauthenticated Session Flooding and Denial of Service", "source": {"advisory": "GHSA-wxrw-gvg8-fqjp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "BishopFox", "product": "sliver", "versions": [{"status": "affected", "version": "< 1.7.0"}]}], "references": [{"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-wxrw-gvg8-fqjp", "name": "https://github.com/BishopFox/sliver/security/advisories/GHSA-wxrw-gvg8-fqjp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/BishopFox/sliver/releases/tag/v1.7.0", "name": "https://github.com/BishopFox/sliver/releases/tag/v1.7.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion. This vulnerability is fixed in 1.7.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T20:34:31.144Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25791", "state": "PUBLISHED", "dateUpdated": "2026-02-10T15:59:20.819Z", "dateReserved": "2026-02-05T19:58:01.639Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T20:34:31.144Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bishopfox:sliver:*:*:*:*:*:*:*:*", "matchCriteriaId": "7BD4DFA2-8C16-4122-A4D8-C3E03081913D", "versionEndExcluding": "1.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion. This vulnerability is fixed in 1.7.0."}, {"lang": "es", "value": "Sliver es un framework de comando y control que utiliza un netstack Wireguard personalizado. Antes de la versi\u00f3n 1.7.0, el oyente DNS C2 acepta mensajes de arranque TOTP no autenticados y asigna sesiones DNS del lado del servidor sin validar los valores OTP, incluso cuando EnforceOTP est\u00e1 habilitado. Dado que las sesiones se almacenan sin una ruta de limpieza/caducidad en este flujo, un actor remoto no autenticado puede crear sesiones repetidamente y provocar el agotamiento de la memoria. Esta vulnerabilidad se corrige en la versi\u00f3n 1.7.0."}], "id": "CVE-2026-25791", "lastModified": "2026-02-23T17:42:31.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T21:15:49.650", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/BishopFox/sliver/releases/tag/v1.7.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-wxrw-gvg8-fqjp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T21:13:39.003635+00:00", "value": {"mitigation_remediation": ["Upgrade the Sliver package to version\u00a01.7.0 or newer, which includes validation of OTP values and proper session cleanup.", "Enable EnforceOTP in configuration to ensure all bootstrap messages are authenticated before session creation.", "Implement rate limiting or connection throttling on the DNS C2 listener to mitigate excessive session creation.", "Monitor server memory utilization and set alerts to detect anomalous growth that could indicate an ongoing attack."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via memory exhaustion and unauthenticated session flooding"}, "threat_synthesis": {"affected_systems": "The vulnerable product is Sliver from BishopFox. Any installation running a version earlier than 1.7.0 is affected; the fix is available in release\u00a01.7.0 and later.", "description_and_impact": "A flaw in the DNS channel of the Sliver command\u2011and\u2011control framework allows an attacker to send one\u2011time\u2011password bootstrap messages without being authenticated. The server accepts and stores these bootstrap requests even when OTP enforcement is turned on. Because the session data has no cleanup or expiry for this flow, the attacker can repeatedly create many sessions, causing the server\u2019s memory consumption to grow without bound, ultimately leading to a denial of service. This is a classic case of resource exhaustion, classified as missing authentication (CWE\u2011306) and uncontrolled resource consumption (CWE\u2011400).", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high impact with a moderate to high exploitability. The EPSS score of less than 1% suggests that widespread exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, abusing the DNS C2 interface, and requires no prior authentication. Once exploited, the attacker can drive memory exhaustion on the C2 server, disrupting the operational availability of the command\u2011and\u2011control infrastructure."}}}}, "created": "2026-04-17T21:15:27.389866+00:00", "title": "Unauthenticated DNS C2 OTP Bypass Allows Session Flooding and Denial of Service", "updated": "2026-04-17T21:15:27.389878+00:00", "vendors": []}