Impact
Evil‑WinRM versions through 3.9 contain a path‑traversal flaw in the download_dir() function. Unsanitized filenames returned by Get‑ChildItem are passed directly to File.join, allowing an attacker who controls or compromises the remote Windows server to write files outside the intended download directory. The attacker can overwrite sensitive client‑side files such as SSH authorized_keys or shell configuration files, giving the attacker persistent access or privilege escalation on the client machine.
Affected Systems
Hackplayers Evil‑WinRM, all releases up to and including version 3.9. The vulnerability was fixed with commit 6ecd570, so versions 3.10 and newer are not vulnerable.
Risk and Exploitability
The CVSS score of 7.4 indicates significant risk, but the EPSS score of less than 1% suggests that exploitation attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog. Attackers need control over or the ability to manipulate the remote Windows server that the client connects to; the vulnerability is remotely exploitable once the attacker can influence the remote server's response. This path traversal can lead to arbitrary file creation and therefore to elevation of privileges or persistence on the client.
OpenCVE Enrichment