Authorization Bypass in Mythic C2 Profile Endpoints

Mitigation Strategies

To mitigate this vulnerability, immediate steps include upgrading Mythic to version 3.4.0.60 or later where the authorization bypass issue is fixed.

If upgrading is not immediately possible, restrict access to the vulnerable REST endpoints to trusted users only and implement additional access controls to ensure payload UUIDs are verified against the operator's current operation.

Monitor and audit usage of the affected endpoints to detect any unauthorized access attempts.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-57952 is an authorization bypass vulnerability in Mythic versions before 3.4.0.60 affecting four REST endpoints: c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, and c2profile_sample_message_webhook.

These endpoints fail to verify if the payload UUID provided belongs to the caller's current operation, allowing an operator in one operation to access C2 profile configuration data from another operation.

This means an attacker can use a known payload UUID from a different operation to retrieve sensitive information such as encryption keys, callback hosts, ports, URIs, user agents, redirector rules, and beacon messages.

The root cause is that these endpoints omit the operation_id condition in their SQL queries, unlike a secure sibling endpoint that performs the necessary operation membership check.

All four vulnerable routes are accessible to spectators due to broad authorization middleware, breaking operation isolation in multi-team deployments.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive C2 profile configuration data across different operations on the same Mythic server.

An attacker or operator in one operation can retrieve encryption keys, callback parameters, and other sensitive configuration details from another operation, potentially compromising the security and confidentiality of that operation's infrastructure.

In multi-team or multi-operation environments, this breaks isolation between operations, increasing the risk of data leakage and unauthorized control over C2 profiles.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized access to four specific REST endpoints by using a known payload UUID from another operation. Detection can focus on monitoring requests to these endpoints and checking for cross-operation payload UUID usage.

• Monitor HTTP requests to the following endpoints: c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, and c2profile_sample_message_webhook.
• Look for requests where the payload UUID does not belong to the authenticated operator's current operation.
• Use network traffic inspection tools (e.g., tcpdump, Wireshark) to capture and analyze REST API calls to these endpoints.
• Example command to capture traffic on port 80 or 443 (adjust as needed): tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -E 'c2profile_config_check_webhook|c2profile_redirect_rules_webhook|c2profile_get_ioc_webhook|c2profile_sample_message_webhook'
• Check Mythic server logs for access to these endpoints and verify if payload UUIDs accessed belong to the operator's operation.

Useful 0 Not Useful 0