Architectural vulnerability in the Sliver C2 server allows for Reverse-C2 Weaponization. By extracting credentials from a captured implant, a defender can weaponize the C2 relationship to trigger a remote Infrastructure Kill-Switch. This exploitation targets a systemic lack of nil-pointer validation in Protobuf handlers, leading to a global runtime panic.
The impact of CVE-2026-29781 is a Total Operational Paralysis of the C2 infrastructure.
-
The Hunter becomes the Hunted: A defender who captures an implant binary can reverse the attack and shutdown the sliver server completly.
-
Cross-Transport Collapse: Because the mTLS, WireGuard, and DNS transports lack a recover() mechanism, a single malformed packet causes the entire Go runtime to exit (SIGSEGV).
-
Collateral Session Loss: A crash triggered via a DNS beacon will instantly kill all active HTTP, mTLS, and WireGuard sessions across the entire fleet.
-
Operator Eviction: All active operators are immediately disconnected from the gRPC interface, losing all unsaved state and real-time monitoring.
-
Restoration requires manual intervention to restart the server and re-establish complex pivot chains, creating a high Recovery Time Objective (RTO).
-
Prerequisites: Extract Credentials: Obtain the mTLS certificate, private key, and Age secret key from a captured Sliver implant.
-
Edit PoC: Open mtls_poc.go and replace the placeholder values in the var block (c2Endpoint, clientCertPEM, clientKeyPEM, peerPrivateKey) with your extracted credentials.
-
Run the exploit against your test Sliver server:
go run mtls_poc.goExpected Result & Proof of Crash: Upon receiving the malformed packet, the Sliver server triggers an immediate Nil-Pointer Dereference. Since the transport layer (mTLS/Yamux) fails to recover from this panic, the entire server process terminates with a SIGSEGV.
You can verify this by checking the server status:
systemctl status sliverOfficial Advisory GHSA-hx52-cv84-jr5v
Free Palestine 🇵🇸