CVE-2024-6127

CRITICAL

PowerShellEmpire Arbitrary File Upload (Skywalker)

Title source: metasploit

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-6127. PoCs published by Spencer McIntyre, Erik Daguerre, ACE-Responder, Takahiro Yokoyama, including Metasploit module exploits/linux/http/empire_skywalker.

AI-analyzed exploit summary This Metasploit module exploits CVE-2024-6127, an arbitrary file upload vulnerability in PowerShellEmpire (BC Security) or the original Empire server, allowing an attacker to write and execute payloads on the target system via a cron job.

Description

BC Security Empire before 5.9.3 is vulnerable to a path traversal issue that can lead to remote code execution. A remote, unauthenticated attacker can exploit this vulnerability over HTTP by acting as a normal agent, completing all cryptographic handshakes, and then triggering an upload of payload data containing a malicious path.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Spencer McIntyre, Erik Daguerre, ACE-Responder, Takahiro Yokoyama · rubypocpython

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/empire_skywalker.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2024-6127, an arbitrary file upload vulnerability in PowerShellEmpire (BC Security) or the original Empire server, allowing an attacker to write and execute payloads on the target system via a cron job.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PowerShellEmpire (BC Security) <v5.9.3 or original Empire server <commit f030cf62

No auth needed

Prerequisites: Network access to the Empire server · Empire server must be running and accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1059.001 - PowerShell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Various Sources technical-description

https://aceresponder.com/blog/exploiting-empire-c2-framework

Various Sources exploit

https://github.com/ACE-Responder/Empire-C2-RCE-PoC

View Writeup ZIP pw:eip

Various Sources vendor-advisory

https://github.com/BC-SECURITY/Empire/blob/8283bbc77250232eb493bf1f9104fdd0d468962a/CHANGELOG.md?plain=1#L102

View Writeup ZIP pw:eip

Third Party Advisory third-party-advisory

https://vulncheck.com/advisories/empire-unauth-rce

Scores

CVSS v3 9.8

EPSS 0.1026

EPSS Percentile 95.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-22 CWE-434

Status published

Products (1)

BC Security/Empire < 5.9.3

Published Jun 27, 2024

Tracked Since Feb 18, 2026