Cyber Resilience

CVE-2026-26068

CriticalPublic PoCRCE

Published: 12 February 2026

Published
12 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0327 86.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26068 is a critical-severity Command Injection (CWE-77) vulnerability in Jm33-M0 Emp3R0R. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 13.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26068 is a command injection vulnerability in emp3r0r, a stealth-focused command-and-control (C2) framework designed by Linux users for Linux environments. In versions prior to 3.21.1, the C2 server accepts untrusted metadata from agents during check-in, including fields such as Transport and Hostname. This metadata is later interpolated into tmux shell command strings executed via /bin/sh -c on the operator host, enabling remote code execution. The vulnerability is associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection) and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

The attack scenario involves a compromised emp3r0r agent on a target Linux system, where an attacker with low privileges (PR:L) can craft malicious metadata during the check-in process. Exploitation requires network access to the C2 server (AV:N) with low complexity and no user interaction. Successful exploitation allows arbitrary command injection and remote code execution on the operator's host machine, potentially granting high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) across the changed scope (S:C), such as full system compromise of the C2 infrastructure.

Mitigation is addressed in emp3r0r version 3.21.1, which fixes the vulnerability by preventing untrusted metadata interpolation. Security practitioners running emp3r0r C2 servers should update to v3.21.1 or later, as detailed in the project's GitHub security advisory (GHSA-h5p4-4xp4-vjpp), release notes, and the fixing commit.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

emp3r0r is a stealth-focused C2 designed by Linux users for Linux environments. Prior to 3.21.1, untrusted agent metadata (Transport, Hostname) is accepted during check-in and later interpolated into tmux shell command strings executed via /bin/sh -c. This enables command injection…

more

and remote code execution on the operator host. This vulnerability is fixed in 3.21.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE enables remote code execution via command injection in the C2 server by interpolating untrusted agent metadata into /bin/sh -c shell commands (T1059.004: Unix Shell), exploiting a vulnerability in a remote network service (T1210: Exploitation of Remote Services).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26201Same product: Jm33-M0 Emp3R0R
CVE-2025-50989Shared CWE-77, CWE-78
CVE-2026-4558Shared CWE-77, CWE-78
CVE-2026-3485Shared CWE-77, CWE-78
CVE-2025-61045Shared CWE-77, CWE-78
CVE-2025-0798Shared CWE-77, CWE-78
CVE-2025-56089Shared CWE-78
CVE-2025-10680Shared CWE-78
CVE-2025-45379Shared CWE-78
CVE-2025-56084Shared CWE-78

Affected Assets

jm33-m0
emp3r0r
≤ 3.21.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates untrusted agent metadata (Transport, Hostname) prior to interpolation into tmux shell commands to directly prevent command injection and RCE on the operator host.

prevent

Remediates the specific command injection flaw by identifying, reporting, and applying the vendor patch to emp3r0r version 3.21.1 or later.

detect

Monitors and scans for vulnerabilities like CVE-2026-26068 in the emp3r0r C2 server to identify and prioritize remediation.

References