CVE-2026-26068
Awaiting Analysis Awaiting Analysis - Queue
Command Injection in emp3r0r C2 Allows Remote Code Execution

Publication date: 2026-02-12

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
emp3r0r is a stealth-focused C2 designed by Linux users for Linux environments. Prior to 3.21.1, untrusted agent metadata (Transport, Hostname) is accepted during check-in and later interpolated into tmux shell command strings executed via /bin/sh -c. This enables command injection and remote code execution on the operator host. This vulnerability is fixed in 3.21.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26068
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jm33-m0 emp3r0r to 3.21.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in emp3r0r, a stealth-focused command and control (C2) tool designed for Linux environments. Prior to version 3.21.1, emp3r0r accepts untrusted agent metadata such as Transport and Hostname during check-in. This untrusted data is then interpolated into tmux shell command strings executed via /bin/sh -c. Because of this, an attacker can perform command injection, leading to remote code execution on the operator host.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary commands remotely on the operator host by injecting malicious commands through untrusted metadata. This can lead to full compromise of the operator system, unauthorized access, data theft, or further attacks within the network.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed in emp3r0r version 3.21.1. Immediate mitigation involves upgrading emp3r0r to version 3.21.1 or later to prevent command injection and remote code execution on the operator host.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26068. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart