cbcvebase.
CVE-2024-6127
published 2024-06-27

CVE-2024-6127: BC Security Empire before 5.9.3 is vulnerable to a path traversal issue that can lead to remote code execution. A remote, unauthenticated attacker can exploit…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.26%
95.1th percentile
BC Security Empire before 5.9.3 is vulnerable to a path traversal issue that can lead to remote code execution. A remote, unauthenticated attacker can exploit this vulnerability over HTTP by acting as a normal agent, completing all cryptographic handshakes, and then triggering an upload of payload data containing a malicious path.

Affected

1 ranges
VendorProductVersion rangeFixed in
bc_securityempire< 5.9.35.9.3

Detection & IOCsextracted from sources · hover to see the quote

path/tmp/
path/etc/cron.d/
versionEmpire < 5.9.3 (before commit e73e883)
  • Monitor for unauthenticated HTTP agents completing cryptographic handshakes with the Empire C2 server followed by file upload requests containing path traversal sequences (e.g., '../') in payload data.
  • Alert on unexpected file creation under /tmp/ combined with new or modified files under /etc/cron.d/ originating from the Empire server process, which is indicative of the Skywalker exploit chain.
  • Detect path traversal patterns in HTTP POST body/multipart upload fields directed at the Empire server listener endpoint; look for sequences such as '../../' or absolute path references in upload filenames.
  • ·The attacker must first complete the Empire agent cryptographic handshake before triggering the path traversal upload, meaning the malicious traffic will appear as a legitimate agent check-in at the network level, making pure network-based detection insufficient without also inspecting upload payload content.
  • ·Both the BC Security maintained Empire fork (before commit e73e883 / v5.9.3) AND the original PowerShellEmpire server (before commit f030cf62) are affected; detection and patching scope must cover both codebases.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.