CVE-2026-26068
Published: 12 February 2026
Summary
CVE-2026-26068 is a critical-severity Command Injection (CWE-77) vulnerability in Jm33-M0 Emp3R0R. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 28.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates untrusted agent metadata (Transport, Hostname) prior to interpolation into tmux shell commands to directly prevent command injection and RCE on the operator host.
Remediates the specific command injection flaw by identifying, reporting, and applying the vendor patch to emp3r0r version 3.21.1 or later.
Monitors and scans for vulnerabilities like CVE-2026-26068 in the emp3r0r C2 server to identify and prioritize remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote code execution via command injection in the C2 server by interpolating untrusted agent metadata into /bin/sh -c shell commands (T1059.004: Unix Shell), exploiting a vulnerability in a remote network service (T1210: Exploitation of Remote Services).
NVD Description
emp3r0r is a stealth-focused C2 designed by Linux users for Linux environments. Prior to 3.21.1, untrusted agent metadata (Transport, Hostname) is accepted during check-in and later interpolated into tmux shell command strings executed via /bin/sh -c. This enables command injection…
more
and remote code execution on the operator host. This vulnerability is fixed in 3.21.1.
Deeper analysisAI
CVE-2026-26068 is a command injection vulnerability in emp3r0r, a stealth-focused command-and-control (C2) framework designed by Linux users for Linux environments. In versions prior to 3.21.1, the C2 server accepts untrusted metadata from agents during check-in, including fields such as Transport and Hostname. This metadata is later interpolated into tmux shell command strings executed via /bin/sh -c on the operator host, enabling remote code execution. The vulnerability is associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection) and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
The attack scenario involves a compromised emp3r0r agent on a target Linux system, where an attacker with low privileges (PR:L) can craft malicious metadata during the check-in process. Exploitation requires network access to the C2 server (AV:N) with low complexity and no user interaction. Successful exploitation allows arbitrary command injection and remote code execution on the operator's host machine, potentially granting high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) across the changed scope (S:C), such as full system compromise of the C2 infrastructure.
Mitigation is addressed in emp3r0r version 3.21.1, which fixes the vulnerability by preventing untrusted metadata interpolation. Security practitioners running emp3r0r C2 servers should update to v3.21.1 or later, as detailed in the project's GitHub security advisory (GHSA-h5p4-4xp4-vjpp), release notes, and the fixing commit.
Details
- CWE(s)