Description
Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion. This vulnerability is fixed in 1.7.0.
Published: 2026-02-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion and unauthenticated session flooding
Action: Immediate Patch
AI Analysis

Impact

A flaw in the DNS channel of the Sliver command‑and‑control framework allows an attacker to send one‑time‑password bootstrap messages without being authenticated. The server accepts and stores these bootstrap requests even when OTP enforcement is turned on. Because the session data has no cleanup or expiry for this flow, the attacker can repeatedly create many sessions, causing the server’s memory consumption to grow without bound, ultimately leading to a denial of service. This is a classic case of resource exhaustion, classified as missing authentication (CWE‑306) and uncontrolled resource consumption (CWE‑400).

Affected Systems

The vulnerable product is Sliver from BishopFox. Any installation running a version earlier than 1.7.0 is affected; the fix is available in release 1.7.0 and later.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact with a moderate to high exploitability. The EPSS score of less than 1% suggests that widespread exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, abusing the DNS C2 interface, and requires no prior authentication. Once exploited, the attacker can drive memory exhaustion on the C2 server, disrupting the operational availability of the command‑and‑control infrastructure.

Generated by OpenCVE AI on April 17, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Sliver package to version 1.7.0 or newer, which includes validation of OTP values and proper session cleanup.
  • Enable EnforceOTP in configuration to ensure all bootstrap messages are authenticated before session creation.
  • Implement rate limiting or connection throttling on the DNS C2 listener to mitigate excessive session creation.
  • Monitor server memory utilization and set alerts to detect anomalous growth that could indicate an ongoing attack.

Generated by OpenCVE AI on April 17, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wxrw-gvg8-fqjp Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service
History

Mon, 23 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Bishopfox
Bishopfox sliver
CPEs cpe:2.3:a:bishopfox:sliver:*:*:*:*:*:*:*:*
Vendors & Products Bishopfox
Bishopfox sliver

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion. This vulnerability is fixed in 1.7.0.
Title Sliver has a DNS C2 OTP Bypass Allows Unauthenticated Session Flooding and Denial of Service
Weaknesses CWE-306
CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Bishopfox Sliver
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T15:59:20.819Z

Reserved: 2026-02-05T19:58:01.639Z

Link: CVE-2026-25791

cve-icon Vulnrichment

Updated: 2026-02-10T15:39:43.729Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T21:15:49.650

Modified: 2026-02-23T17:42:31.743

Link: CVE-2026-25791

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses