CVE-2025-27093

Name of the Vulnerable Software and Affected Versions Sliver versions 1.5.43 and earlier, and version 1.6.0-dev

Description Sliver is a command and control framework that utilizes a custom Wireguard netstack. In versions 1.5.43 and earlier, and in development version 1.6.0-dev, the netstack does not limit traffic between Wireguard clients. This unrestricted communication allows clients to connect with each other, potentially enabling attackers to leverage leaked or recovered keypairs to compromise operators or access port forwardings from other implants. The Wireguard connection operates entirely within the process and does not expose itself as a network interface. An attacker can obtain a valid Wireguard configuration and connect to the operator’s machine, potentially accessing services listening on all interfaces (0.0.0.0), such as SSH, RDP, or SMB. The private key of a beacon can be recovered through process dumping, allowing an attacker to generate new Wireguard clients without the operator’s knowledge, achieving persistence within the network.

Recommendations Versions prior to 1.5.43 and version 1.6.0-dev should implement traffic filtering between clients using a default-deny policy. Differentiate between operator and beacon Wireguard configurations/clients. Only allow specific one-way traffic when an operator requests a Wireguard port forward.