The DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion.
A Path Traversal vulnerability in the website content subsystem lets an authenticated operator read arbitrary files on the Sliver server host. This is an authenticated Path Traversal / arbitrary file read issue, and it can expose credentials, configs, and keys.
A Path Traversal vulnerability in the website content subsystem lets an authenticated operator read arbitrary files on the Sliver server host. This is an authenticated Path Traversal / arbitrary file read issue, and it can expose credentials, configs, and keys.
A specially crafted nonce routes unauthenticated requests through the NoEncoder path, where startSessionHandler() reads the entire request body without limits, allowing attacker-driven memory exhaustion and process crash.
Sliver's custom Wireguard netstack doesn't limit traffic between Wireguard clients, this could lead to: Leaked/recovered keypair (from a beacon) being used to attack operators. Port forwardings usable from other implants.
The reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without verifying if the operator instructed the implant to do so
Sliver version 1.6.0 (prerelease) is vulnerable to RCE on the teamserver by a low-privileged "operator" user. The RCE is as the system root user.
This advisory duplicates another.
The current cryptography implementation in Sliver up to version 1.5.39 allows a MitM with access to the corresponding implant binary to execute arbitrary codes on implanted devices via intercepted and crafted responses. (Reserved CVE ID: CVE-2023-34758)