CVE-2024-6127
published 2024-06-27CVE-2024-6127: BC Security Empire before 5.9.3 is vulnerable to a path traversal issue that can lead to remote code execution. A remote, unauthenticated attacker can exploit…
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.26%
95.1th percentile
BC Security Empire before 5.9.3 is vulnerable to a path traversal issue that can lead to remote code execution. A remote, unauthenticated attacker can exploit this vulnerability over HTTP by acting as a normal agent, completing all cryptographic handshakes, and then triggering an upload of payload data containing a malicious path.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bc_security | empire | < 5.9.3 | 5.9.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP agents completing cryptographic handshakes with the Empire C2 server followed by file upload requests containing path traversal sequences (e.g., '../') in payload data. ↗
- →Alert on unexpected file creation under /tmp/ combined with new or modified files under /etc/cron.d/ originating from the Empire server process, which is indicative of the Skywalker exploit chain. ↗
- →Detect path traversal patterns in HTTP POST body/multipart upload fields directed at the Empire server listener endpoint; look for sequences such as '../../' or absolute path references in upload filenames. ↗
- ·The attacker must first complete the Empire agent cryptographic handshake before triggering the path traversal upload, meaning the malicious traffic will appear as a legitimate agent check-in at the network level, making pure network-based detection insufficient without also inspecting upload payload content. ↗
- ·Both the BC Security maintained Empire fork (before commit e73e883 / v5.9.3) AND the original PowerShellEmpire server (before commit f030cf62) are affected; detection and patching scope must cover both codebases. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://aceresponder.com/blog/exploiting-empire-c2-frameworkhttps://github.com/ACE-Responder/Empire-C2-RCE-PoChttps://github.com/BC-SECURITY/Empire/blob/8283bbc77250232eb493bf1f9104fdd0d468962a/CHANGELOG.md?plain=1#L102https://vulncheck.com/advisories/empire-unauth-rcehttps://aceresponder.com/blog/exploiting-empire-c2-frameworkhttps://github.com/ACE-Responder/Empire-C2-RCE-PoChttps://github.com/BC-SECURITY/Empire/blob/8283bbc77250232eb493bf1f9104fdd0d468962a/CHANGELOG.md?plain=1#L102https://vulncheck.com/advisories/empire-unauth-rce
2024-06-27
Published