CVE-2025-27093: 
vulnerability analysis and mitigation

CVE-2025-27093 affects Sliver, a command and control framework that uses a custom Wireguard netstack. The vulnerability was discovered in versions 1.5.43 and earlier, and in development version 1.6.0-dev, where the netstack implementation fails to limit traffic between Wireguard clients. This security flaw was disclosed on October 28, 2025, and received a CVSS v3.1 base score of 6.3 (Medium) (GitHub Advisory).

The vulnerability stems from the netstack's failure to implement traffic filtering between connected Wireguard clients. The implementation treats operators' Wireguard config and beacon/session's Wireguard config equally, allowing them both to connect to the wireguard listener created from the CLI. When services listen on 0.0.0.0, they become accessible on the wireguard interface's IP address (e.g., 100.64.0.3), exposing services like SSH, RDP, and SMB. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L, indicating network attack vector with low complexity (GitHub Advisory).

The vulnerability primarily affects operator machines. If their services contain vulnerabilities, attackers can potentially achieve Remote Code Execution (RCE). Even without exploiting service vulnerabilities, attackers can gather sensitive information such as hostnames and SSH signatures. Additionally, compromised beacon keypairs can be used to attack operators, and port forwardings become accessible from other implants (GitHub Advisory).

The vulnerability has been patched with the implementation of traffic filtering between clients using a default-deny policy. The fix includes differentiating between operators and beacons' wireguard config/client and only allowing specific one-way traffic when the operator requests to open a Wireguard port forward. Users should upgrade to version 1.5.44 or later (GitHub Advisory).