CVE-2026-55201 Overview
CVE-2026-55201 is a path traversal vulnerability ([CWE-22]) in Evil-WinRM versions through 3.9. The flaw resides in the download_dir() function, which passes filenames from the remote server's Get-ChildItem output directly to File.join() without sanitization. A rogue or compromised remote Windows server can return filenames containing traversal sequences such as ..\..\, causing the client to write files outside the intended download directory. The issue was corrected in commit 6ecd570.
Critical Impact
Attackers controlling a remote Windows server can overwrite client-side files such as SSH authorized_keys or shell configuration files, achieving persistence or privilege escalation on the operator's machine.
Affected Products
- Evil-WinRM through version 3.9
- Evil-WinRM Ruby client distributions prior to commit 6ecd570
- Penetration testing tooling that bundles vulnerable Evil-WinRM releases
Discovery Timeline
- 2026-06-17 - CVE-2026-55201 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-55201
Vulnerability Analysis
Evil-WinRM is a Ruby-based Windows Remote Management (WinRM) client used by penetration testers to interact with Windows systems. The download_dir() function recursively downloads directory contents by enumerating remote files with Get-ChildItem and writing each entry locally. The function trusts the remote server's response and joins each returned filename to the local destination path without validation. Because Evil-WinRM is typically run against untrusted or adversary-controlled hosts during offensive engagements, the trust boundary is inverted compared to a normal client-server model.
Root Cause
The root cause is missing input sanitization on filenames received from the remote shell. The vulnerable code splits PowerShell output and passes each file.strip value directly to File.join(local_path, file.strip). When a returned name contains ../ or absolute path components, Ruby's File.join preserves the traversal, allowing writes to arbitrary client-side locations.
Attack Vector
An attacker with control of the target Windows host crafts files or hooks Get-ChildItem output so that returned names contain traversal sequences. When the operator runs download against the directory, the client writes attacker-controlled content to paths such as ~/.ssh/authorized_keys, ~/.bashrc, or ~/.zshrc, enabling persistent access or privilege escalation on the operator workstation.
command = "Get-ChildItem #{remote_path} | Select-Object Name"
@connection.shell(:powershell) { |e| e.run(command) }.stdout.strip.split(/\n/).drop(2).each do |file|
- download(File.join(remote_file_path.to_s, file.strip), File.join(local_path, file.strip), chunk_size, false)
+ sanitized = File.basename(file.strip)
+ next if sanitized.empty? || sanitized == '.' || sanitized == '..'
+
+ download(File.join(remote_file_path.to_s, file.strip), File.join(local_path, sanitized), chunk_size, false)
end
Source: GitHub Commit by Hackplayers. The patch applies File.basename() to strip directory components and skips empty, ., and .. entries before joining to the local path.
Detection Methods for CVE-2026-55201
Indicators of Compromise
- Unexpected modifications to ~/.ssh/authorized_keys, ~/.bashrc, ~/.zshrc, or ~/.profile shortly after running Evil-WinRM download operations
- New files appearing outside the intended local download directory after a recursive download
- Evil-WinRM process writing to paths that contain resolved .. traversal segments
Detection Strategies
- Audit Evil-WinRM versions on operator workstations and flag any installs prior to commit 6ecd570
- Monitor file integrity on sensitive dotfiles and SSH configuration directories on penetration testing workstations
- Inspect Evil-WinRM session logs for Get-ChildItem output containing traversal sequences or backslashes in returned names
Monitoring Recommendations
- Enable host-based file integrity monitoring on $HOME/.ssh/, shell rc files, and cron directories on machines running offensive tooling
- Log child process and file write activity from Ruby interpreters executing evil-winrm.rb
- Review red team engagement logs for downloads from untrusted or third-party Windows hosts using vulnerable versions
How to Mitigate CVE-2026-55201
Immediate Actions Required
- Upgrade Evil-WinRM to a build that includes commit 6ecd570 or later from the Hackplayers repository
- Audit operator workstations for unauthorized changes to SSH and shell configuration files following recent engagements
- Restrict use of download_dir against untrusted hosts until clients are patched
Patch Information
The fix is published in GitHub Pull Request #81 by Hackplayers and merged as commit 6ecd570. The patch sanitizes remote filenames with File.basename() and rejects empty, ., and .. entries before invoking File.join(). Additional context is available in the VulnCheck Advisory on Evil-WinRM.
Workarounds
- Avoid using the recursive download command against untrusted Windows hosts until patched
- Run Evil-WinRM inside a disposable virtual machine or container to contain client-side file writes
- Manually transfer individual files with explicit local destinations instead of full directory downloads
# Install patched Evil-WinRM from source
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm
git checkout 6ecd570a298562dc72ad73978307eb34182f5850
bundle install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

