CVE-2026-26068
Command Injection in emp3r0r C2 Allows Remote Code Execution
Publication date: 2026-02-12
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jm33-m0 | emp3r0r | to 3.21.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in emp3r0r, a stealth-focused command and control (C2) tool designed for Linux environments. Prior to version 3.21.1, emp3r0r accepts untrusted agent metadata such as Transport and Hostname during check-in. This untrusted data is then interpolated into tmux shell command strings executed via /bin/sh -c. Because of this, an attacker can perform command injection, leading to remote code execution on the operator host.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary commands remotely on the operator host by injecting malicious commands through untrusted metadata. This can lead to full compromise of the operator system, unauthorized access, data theft, or further attacks within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in emp3r0r version 3.21.1. Immediate mitigation involves upgrading emp3r0r to version 3.21.1 or later to prevent command injection and remote code execution on the operator host.