Description
Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the download_dir() function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem command output that are passed unsanitized to File.join(). Attackers controlling the remote server can exploit this to overwrite sensitive client-side files such as SSH authorized_keys or shell configuration files, achieving persistent access or privilege escalation on the client machine.
Published: 2026-06-17
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Evil‑WinRM versions through 3.9 contain a path‑traversal flaw in the download_dir() function. Unsanitized filenames returned by Get‑ChildItem are passed directly to File.join, allowing an attacker who controls or compromises the remote Windows server to write files outside the intended download directory. The attacker can overwrite sensitive client‑side files such as SSH authorized_keys or shell configuration files, giving the attacker persistent access or privilege escalation on the client machine.

Affected Systems

Hackplayers Evil‑WinRM, all releases up to and including version 3.9. The vulnerability was fixed with commit 6ecd570, so versions 3.10 and newer are not vulnerable.

Risk and Exploitability

The CVSS score of 7.4 indicates significant risk, but the EPSS score of less than 1% suggests that exploitation attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog. Attackers need control over or the ability to manipulate the remote Windows server that the client connects to; the vulnerability is remotely exploitable once the attacker can influence the remote server's response. This path traversal can lead to arbitrary file creation and therefore to elevation of privileges or persistence on the client.

Generated by OpenCVE AI on June 18, 2026 at 20:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Evil‑WinRM to the patched revision containing commit 6ecd570 (version 3.10 or newer).
  • Verify that the download_dir() function now sanitizes filenames or restricts writes to a whitelisted directory.
  • If an update cannot be applied immediately, limit the use of Evil‑WinRM or block connections to untrusted remote Windows servers and monitor client systems for unexpected file writes.

Generated by OpenCVE AI on June 18, 2026 at 20:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Hackplayers
Hackplayers evil-winrm
Vendors & Products Hackplayers
Hackplayers evil-winrm

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the download_dir() function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem command output that are passed unsanitized to File.join(). Attackers controlling the remote server can exploit this to overwrite sensitive client-side files such as SSH authorized_keys or shell configuration files, achieving persistent access or privilege escalation on the client machine.
Title Evil-WinRM - Path Traversal in download_dir() Function
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Hackplayers Evil-winrm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-18T13:54:28.729Z

Reserved: 2026-06-16T15:53:37.764Z

Link: CVE-2026-55201

cve-icon Vulnrichment

Updated: 2026-06-18T13:49:57.659Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:11Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')