How is CVE-2026-55201 exploited?

Network reachability (required): The attacker must control a remote Windows server reachable over the network that the Evil-WinRM client connects to; exploitation is initiated through that server-client connection. Authentication (not-required): No authentication on the attacker's side is required; the attacker operates by controlling the server the victim operator chooses to connect to, not by authenticating to a protected service. Victim interaction (required): The Evil-WinRM operator (victim) must initiate a download_dir() operation against the rogue or compromised server, making this a social-engineering or supply-chain scenario where the operator is directed to connect. Attack complexity (info): Attack complexity is low in that the exploit itself is reliable and condition-free once the attacker controls the server, though the additional attack requirement (AT:P) notes a prerequisite that the victim must be induced to connect to the malicious endpoint.

What is the impact of CVE-2026-55201?

An attacker overwrites client-side files such as ~/.ssh/authorized_keys, inserting their own public key and gaining persistent SSH access to the operator's machine without a password. Shell configuration files (e.g. .bashrc, .zshrc, .profile) can be replaced or appended to, executing attacker-controlled commands every time the operator opens a shell session. Any file writable by the user running Evil-WinRM is a candidate for overwrite, which may include credential stores, tool configuration files, or scripts used in automated pipelines.

Back to search

HIGHCVE-2026-55201Published 2026-06-17Modified 2026-06-17CNA VulnCheck

CVE-2026-55201: Evil-WinRM - Path Traversal in download_dir() Function

Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the download_dir() function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem command output that are passed unsanitized to File.join(). Attackers controlling the remote server can exploit this to overwrite sensitive client-side files such as SSH authorized_keys or shell configuration files, achieving persistent access or privilege escalation on the client machine.

CVSS v4.0: 7.4
Severity: HIGH
Fixed in: 6ecd570a298562dc72ad73978307eb34182f5850
Affected Products: 1

HarborGuard Analysis

Synopsis

A path traversal vulnerability exists in Evil-WinRM (versions through 3.9) inside the download_dir() function. A rogue or compromised remote Windows server can return filenames containing directory traversal sequences (such as ../../) from Get-ChildItem output; because these filenames are passed unsanitized to File.join(), files land outside the intended download directory on the client machine. Successful exploitation lets an attacker overwrite sensitive client-side files like SSH authorized_keys or shell configuration files, enabling persistent access or privilege escalation on the operator's machine. A patched-image rebuild at commit 6ecd570a298562dc72ad73978307eb34182f5850 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-55201 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Evil-WinRM. Coverage applies to any image layer that contains the affected gem, regardless of base image origin.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.4 (High) and weighting it against each customer environment's compliance policy to reflect actual exposure. Triage findings are routed to the inbox or ticketing integration configured for each customer org, so the right team receives actionable context without manual sorting.

Available

Patch

A patched-image rebuild pinned to commit 6ecd570a298562dc72ad73978307eb34182f5850 becomes available on HarborGuard the moment the fix is confirmed for an affected image. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must control a remote Windows server reachable over the network that the Evil-WinRM client connects to; exploitation is initiated through that server-client connection.
AuthenticationNot required
No authentication on the attacker's side is required; the attacker operates by controlling the server the victim operator chooses to connect to, not by authenticating to a protected service.
Victim interactionRequired
The Evil-WinRM operator (victim) must initiate a download_dir() operation against the rogue or compromised server, making this a social-engineering or supply-chain scenario where the operator is directed to connect.
Attack complexityDetail
Attack complexity is low in that the exploit itself is reliable and condition-free once the attacker controls the server, though the additional attack requirement (AT:P) notes a prerequisite that the victim must be induced to connect to the malicious endpoint.

Blast Radius

An attacker overwrites client-side files such as ~/.ssh/authorized_keys, inserting their own public key and gaining persistent SSH access to the operator's machine without a password.
Shell configuration files (e.g. .bashrc, .zshrc, .profile) can be replaced or appended to, executing attacker-controlled commands every time the operator opens a shell session.
Any file writable by the user running Evil-WinRM is a candidate for overwrite, which may include credential stores, tool configuration files, or scripts used in automated pipelines.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-55201 is active across customer registries and pipelines as soon as images containing Evil-WinRM 3.9 or earlier are scanned. A rebuilt image at the patched commit (6ecd570a298562dc72ad73978307eb34182f5850) is made available for any affected image identified in a customer's environment. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads; for High-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a summary of changed layers are surfaced in the HarborGuard dashboard for human sign-off before deployment.

See how HarborGuard automates this

Fix available

6ecd570a298562dc72ad73978307eb34182f5850

Patch commits

Patch Commit

Affected packages

Hackplayers / evil-winrm
≤ 3.9
Fixed in 6ecd570a298562dc72ad73978307eb34182f5850

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available