CVE-2026-26068

CVE-2026-26068 is a command injection vulnerability in emp3r0r, a stealth-focused command-and-control (C2) framework designed by Linux users for Linux environments. In versions prior to 3.21.1, the C2 server accepts untrusted metadata from agents during check-in, including fields such as Transport and Hostname. This metadata is later interpolated into tmux shell command strings executed via /bin/sh -c on the operator host, enabling remote code execution. The vulnerability is associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection) and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

The attack scenario involves a compromised emp3r0r agent on a target Linux system, where an attacker with low privileges (PR:L) can craft malicious metadata during the check-in process. Exploitation requires network access to the C2 server (AV:N) with low complexity and no user interaction. Successful exploitation allows arbitrary command injection and remote code execution on the operator's host machine, potentially granting high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) across the changed scope (S:C), such as full system compromise of the C2 infrastructure.

Mitigation is addressed in emp3r0r version 3.21.1, which fixes the vulnerability by preventing untrusted metadata interpolation. Security practitioners running emp3r0r C2 servers should update to v3.21.1 or later, as detailed in the project's GitHub security advisory (GHSA-h5p4-4xp4-vjpp), release notes, and the fixing commit.