~/f4n6 $ grep -r "Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the..." ./investigations/ --include="*.md"

Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the...

Jeff Davies 18 Jun 2026 5 min read

1. Executive summary

A path traversal vulnerability (CVE-2026-55201, High severity, status: Unreviewed) has been disclosed in Evil-WinRM through version 3.9, fixed in upstream commit 6ecd570. The flaw resides in the download_dir() function: filenames returned by the Get-ChildItem command on the remote Windows server are passed unsanitized to Ruby's File.join(), allowing a rogue or compromised remote server to write files outside the intended download directory on the operator's workstation. A malicious server can target sensitive client-side files such as ~/.ssh/authorized_keys and shell configuration files (~/.bashrc, ~/.zshrc, PowerShell profile), enabling persistent access or privilege escalation on the analyst's machine. EMEA financial services entities using Evil-WinRM for Windows administration are directly exposed; the risk is highest where operators connect to untrusted or third-party-managed servers.

2. Regulatory framing

Article Trigger (fact in this item) Practical impact
DORA Art. 28: ICT third-party risk — general principles Evil-WinRM is a third-party open-source tool used for ICT administration; this advisory constitutes a new third-party risk requiring assessment. Financial entities must include Evil-WinRM in their ICT third-party register, evaluate the vulnerability against their use case, and document the response.
NIS2 Art. 21(2)(d): supply chain security measures Evil-WinRM is a supply-chain component for entities within scope; the vulnerability affects the security properties of that component. In-scope entities must treat Evil-WinRM as a covered supply-chain asset and apply proportionate security controls (version pinning, source verification, restricted use).

Articles DORA Art. 17, 18, 19, NIS2 Art. 23, and UK NIS 2018 OES/RDSP duties become engaged only upon confirmed exploitation of this vulnerability against an in-scope system; they are not triggered by the vulnerability disclosure alone.

3. Technical analysis & attack chain

Vulnerability mechanism. Evil-WinRM's download_dir() function invokes Get-ChildItem on the remote Windows host to enumerate files for download, then joins each returned filename with the local destination path using Ruby's File.join(). The remote filename is not sanitised for path traversal sequences (e.g. ..\..\..\Users\victim\.ssh\authorized_keys). Because File.join() treats .. segments as ordinary path components rather than normalising them, the resulting local write target escapes the intended download directory. The attacker controls the remote server, so the malicious filename is fully under their control.

Attack chain (confirmed steps)

  1. Initial access — operator connects to a rogue or compromised Windows server using Evil-WinRM (typically over WinRM/HTTPS on TCP 5986 or WinRM/HTTP on 5985). The server may be attacker-controlled from the outset, or a legitimate server may have been compromised upstream.
  2. Trigger of vulnerable code path. The operator invokes a bulk-download feature that calls download_dir(), causing Evil-WinRM to run Get-ChildItem on the remote host.
  3. Malicious filename returned. The remote server returns one or more entries whose names contain traversal sequences (e.g. ..\..\Users\<operator>\.ssh\authorized_keys).
  4. Unsanitised join. Evil-WinRM passes the raw filename to File.join(local_dir, filename) without validation or canonicalisation, producing a path that escapes local_dir.
  5. Arbitrary file write on operator workstation. Evil-WinRM writes the (attacker-supplied) file content to the resolved path on the operator's machine.
  6. Persistence / privilege escalation. The attacker overwrites ~/.ssh/authorized_keys to install their own public key (persistent SSH access as the operator), or overwrites shell init files (~/.bashrc, ~/.zshrc, PowerShell profile) to execute attacker code on every subsequent shell launch.
  7. Impact. Persistent backdoor on the analyst workstation, lateral pivot into the financial entity's network using the operator's credentials and trust context.

Affected component: Evil-WinRM ≤ 3.9 (Ruby gem / CLI). Fix: upstream commit 6ecd570. No CVE vector or CVSS score is available in the verified reference data; severity is reported as High by the GitHub Advisory Database.

Unconfirmed / single-sourced claims. The advisory does not specify whether the vulnerability is exploitable only when the operator explicitly invokes a bulk-download command or whether it is triggered by any session activity. Treat any such behavioural detail as unconfirmed until validated against the upstream patch.

4. Mitigation & containment

P1 — within 24 hours

  • Upgrade Evil-WinRM to a build that includes commit 6ecd570 (or later). Verify the installed version with evil-winrm --version and confirm the source repository commit hash before use.
  • Audit ~/.ssh/authorized_keys on every workstation and jump host used to run Evil-WinRM. Compare against a known-good baseline; remove any unfamiliar keys and rotate affected credentials.
  • Audit shell init files (~/.bashrc, ~/.bash_profile, ~/.zshrc, ~/.profile, PowerShell $PROFILE) on the same hosts for unexpected entries added since the last clean state.
  • Restrict Evil-WinRM use to connections against trusted, internally-managed Windows servers until the upgrade is confirmed.

P2 — within 72 hours

  • Pin the tool version in configuration management (Ansible, Puppet, Chef, SCCM) to a patched build to prevent regression to vulnerable versions.
  • Network segmentation: ensure Evil-WinRM operator workstations cannot reach arbitrary internet endpoints; confine WinRM (TCP 5985/5986) access to known management subnets.
  • Review logs for evidence of bulk-download activity against untrusted hosts in the preceding 30 days; correlate with file-system writes outside expected download directories.

P3 — within 7 days

  • Document the third-party risk in the ICT third-party register per DORA Art. 28, including the patched version, the date of upgrade, and any compensating controls.
  • Update operational runbooks to specify the minimum Evil-WinRM version and to forbid use against servers outside the trusted inventory.

5. Indicators of compromise

No indicators of compromise available in the source material.

6. Detection

rule AT_EvilWinRM_Tool_Artifacts
{
    meta
        author = "Adverse Trace"
        date = "2026-06-18"
        description = "Detects Evil-WinRM tool artefacts associated with CVE-2026-55201 path traversal in download_dir()"
        reference = "https://github.com/advisories/GHSA-fpgm-mcvj-627x"
    strings
        $tool = "Evil-WinRM" ascii wide
        $func = "download_dir" ascii wide
        $cmd  = "Get-ChildItem" ascii wide
        $join = "File.join" ascii wide
        $ssh  = "authorized_keys" ascii wide
    condition
        2 of them
}

title: Suspicious Write to SSH authorized_keys or Shell RC File by Evil-WinRM Process
id: at-2026-06-18-117
status: experimental
description: >
  Detects file writes targeting SSH authorized_keys or shell init files by the
  Evil-WinRM Ruby process, consistent with CVE-2026-5521 path traversal abuse.
references:

  - https://github.com/advisories/GHSA-fpgm-mcvj-627x
author: Adverse Trace
date: 2026-06-18
logsource:
  product: windows
  category: process_access
detection:
  selection_process:
    Image|endswith:

      - '\ruby.exe'
      - '\rubyw.exe'
  selection_target:
    TargetFilename|endswith:

      - '\.ssh\authorized_keys'
      - '\.bashrc'
      - '\.zshrc'
      - '\.bash_profile'
      - '\.profile'
      - '\Microsoft\PowerShell\profile.ps1'
  condition: selection_process and selection_target
falsepositives:

  - Legitimate administrative use of Evil-WinRM against trusted servers writing into the configured download directory (rare; verify target path)
level: high

7. Sources

  • GitHub Advisory Database — GHSA-fpgm-mcvj-627x / CVE-2026-55201 — https://github.com/advisories/GHSA-fpgm-mcvj-627x — published 2026-06-17

8. Adverse Trace position

Severity: High. The vulnerability is rated High by the GitHub Advisory Database; no CVSS vector is available in the verified reference data and the CVE remains Unreviewed. The flaw is straightforward to exploit (no authentication on the client side beyond the operator already running the tool) and the impact — persistent SSH access or shell-level code execution on the operator workstation — is severe for any financial entity whose analysts use Evil-WinRM against Windows infrastructure. Client impact: entities that use Evil-WinRM for Windows administration must treat this as an in-scope third-party risk under DORA Art. 28 and a supply-chain concern under NIS2 Art. 21(2)(d); patching and credential hygiene should be completed within 24 hours. Next steps: Adverse Trace will (1) monitor for an upstream release tag incorporating commit 6ecd570 and update this advisory with the safe version floor, (2) re-assess once a CVSS vector is published, and (3) escalate to a confirmed-incident advisory if exploitation is observed in the wild or added to the CISA KEV catalogue.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies