CVE-2026-25791

Name of the Vulnerable Software and Affected Versions Sliver versions prior to 1.7.0

Description The DNS command and control (C2) listener accepts unauthenticated Time-based One-Time Password (TOTP) bootstrap messages and allocates server-side DNS sessions without validating the OTP values, even when EnforceOTP is enabled. Sessions are stored indefinitely in this flow, allowing an unauthenticated remote actor to repeatedly create sessions and exhaust server memory. The vulnerable code resides in server/c2/dns.go (lines 84-90, 378-390, 490-521), client/command/jobs/dns.go (lines 46-52), implant/sliver/transports/dnsclient/dnsclient.go (lines 896-900), and protobuf/dnspb/dns.proto (line 22). The attack vector involves sending repeated DNS queries with a minimal protobuf message of type TOTP to the network-accessible DNS listener. The DNSMessageType TOTP bootstrap handling path is the trigger. This can lead to an unauthenticated remote denial of service through resource exhaustion.

Recommendations Versions prior to 1.7.0 should be updated to version 1.7.0 or later.