PatchSiren cyber security CVE debrief
CVE-2026-55201 Hackplayers CVE debrief
CVE-2026-55201 is a high-severity path traversal vulnerability in Evil-WinRM, a tool for remote Windows management. The vulnerability, fixed in commit 6ecd570, allows a rogue or compromised remote Windows server to write files outside the intended download directory. This is achieved by exploiting the download_dir() function, which fails to sanitize filenames with traversal sequences from Get-ChildItem command output. Attackers can leverage this vulnerability to overwrite sensitive client-side files, such as SSH authorized_keys or shell configuration files, to gain persistent access or escalate privileges on the client machine. The vulnerability has a CVSS score of 7.4 and is considered high-severity. Users of Evil-WinRM through version 3.9 should update to the latest version to mitigate this vulnerability.
- Vendor
- Hackplayers
- Product
- evil-winrm
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-23
Who should care
Security teams, system administrators, and users of Evil-WinRM should be aware of this vulnerability. Specifically, those who manage remote Windows servers or use Evil-WinRM for remote management should take immediate action to update their installations and ensure that sensitive client-side files are properly secured.
Technical summary
The CVE-2026-55201 vulnerability is caused by a path traversal issue in the download_dir() function of Evil-WinRM. The function fails to properly sanitize filenames with traversal sequences from Get-ChildItem command output, allowing an attacker to write files outside the intended download directory. This can be exploited by a rogue or compromised remote Windows server to overwrite sensitive client-side files, potentially leading to persistent access or privilege escalation on the client machine.
Defensive priority
High
Recommended defensive actions
- Update Evil-WinRM to the latest version (commit 6ecd570 or later) to fix the path traversal vulnerability.
- Ensure that sensitive client-side files, such as SSH authorized_keys or shell configuration files, are properly secured and monitored for unauthorized changes.
- Implement additional security measures, such as file system access controls and monitoring, to detect and prevent potential exploitation.
- Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in remote management tools and configurations.
- Consider implementing network segmentation and isolation to limit the impact of a potential breach.
- Monitor Evil-WinRM logs and system logs for suspicious activity and implement incident response plans in case of a security incident.
- Keep all software and systems up-to-date with the latest security patches and updates.
Evidence notes
The information provided is based on the CVE-2026-55201 record and related sources from Vulncheck and NVD. The vulnerability was fixed in commit 6ecd570 and has a CVSS score of 7.4. The CVE record and NVD detail pages provide additional information on the vulnerability.
Official resources
CVE-2026-55201 was published on 2026-06-17T20:17:29.093Z and modified on 2026-06-18T14:17:33.420Z.