CVE-2026-34227
Published: 31 March 2026
Summary
CVE-2026-34227 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Bishopfox Sliver. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CWE-306 (Missing Authentication for Critical Function) by prohibiting unauthenticated actions on C2 sessions, preventing hijacking via malicious links.
Protects the authenticity of C2 communications sessions and detects/terminates hijacking attempts, addressing session takeover in the operator's browser.
Requires timely identification, reporting, and remediation of flaws like this high-severity vulnerability, ensuring upgrade to patched version 1.7.4.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability explicitly enables hijacking of C2 operator sessions via the browser by tricking the operator into clicking a malicious link (missing auth for critical functions), directly mapping to T1185 Browser Session Hijacking facilitated via T1566.002 Spearphishing Link.
NVD Description
Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to version 1.7.4, a single click on a malicious link gives an unauthenticated attacker immediate, silent control over every active C2 session or beacon, capable of…
more
exfiltrating all collected target data (e.g. SSH keys, ntds.dit) or destroying the entire compromised infrastructure, entirely through the operator's own browser. This issue has been patched in version 1.7.4.
Deeper analysisAI
CVE-2026-34227 is a high-severity vulnerability (CVSS 3.1 score of 8.8) affecting Sliver, an open-source command and control (C2) framework that implements a custom Wireguard netstack. Versions prior to 1.7.4 are vulnerable due to weaknesses mapped to CWE-306 (Missing Authentication for Critical Function) and CWE-942 (Permissible Navigational Transitions). The flaw enables attackers to hijack C2 operator sessions through the operator's browser without authentication.
An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity by tricking a Sliver C2 operator into clicking a malicious link (user interaction required). Successful exploitation grants the attacker silent, immediate control over all active C2 sessions and beacons implanted on target systems. This allows full exfiltration of sensitive collected data, such as SSH keys or ntds.dit files, or complete destruction of the compromised infrastructure, all executed client-side in the operator's browser.
The issue was patched in Sliver version 1.7.4, as detailed in the BishopFox security advisory (GHSA-6fpf-248c-m7wm). Operators should upgrade immediately to mitigate risks, particularly given the framework's use in red teaming and adversary emulation where operator browsers may be exposed.
Details
- CWE(s)