DeimosC2
DeimosC2 is a deprecated Golang-based command-and-control framework designed for post-exploitation red team operations. The project is no longer maintained and contains a known critical XSS vulnerability (CVE-2025-26244), making it unsuitable for production use.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | DeimosC2/DeimosC2 |
| Owner | DeimosC2 |
| Primary language | Vue |
| License | MIT — OSI-approved |
| Stars | 1.2k |
| Forks | 167 |
| Open issues | 25 |
| Latest release | 1.1.0 (2020-08-10) |
| Last updated | 2025-04-17 |
| Source | https://github.com/DeimosC2/DeimosC2 |
What DeimosC2 is
DeimosC2 is a C2 server written in Golang with a Vue.js frontend, supporting multiple agent communication channels (TCP, HTTPS, DoH, QUIC, and TCP pivot). It features multi-user roles, 2FA via Google Authenticator, RSA-wrapped agent communications, and a WebSocket API; however, it is unmaintained since the final release in August 2020 and has a documented XSS vulnerability.
Get the DeimosC2 source
Clone the repository and explore it locally.
git clone https://github.com/DeimosC2/DeimosC2.gitcd DeimosC2# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- XSS vulnerability (CVE-2025-26244) must be patched before any deployment; review the JaRm222 writeup and apply input sanitization fixes.
- Requires Golang build environment and Node.js/Vue.js toolchain for frontend compilation; deployment assumes Linux/Windows/macOS capability.
- Multi-user and 2FA setup requires external Google Authenticator configuration and credential management discipline.
- Agent communications use RSA encryption per-listener; key rotation and secure key storage are manual and operator-dependent.
- No containerization or Kubernetes manifests provided; deployment is ad-hoc binary execution or manual orchestration.
When to avoid it — and what to weigh
- Production or operational red team use — The project is deprecated, no longer maintained, and contains CVE-2025-26244 (XSS). Active exploitation risk and no vendor support or patch availability.
- Internet-facing or multi-tenant deployments — The known XSS vulnerability creates credential theft and lateral movement risk. No security audit or maintenance roadmap exists.
- Compliance or regulated environments — Deprecated software with known vulnerabilities fails compliance requirements (SOC 2, ISO 27001, etc.). No vendor guarantees or liability protection for security incidents.
- Dependency on ongoing vendor support — No active maintainers, no response to issues (25 open), and last commit was April 2025 but no releases or patches since August 2020. Community support is unreliable.
License & commercial use
DeimosC2 is licensed under the MIT License, which is a permissive, OSI-approved open-source license. MIT allows use, modification, and distribution with minimal restrictions.
The MIT License permits commercial use, including in proprietary or closed-source derivatives. However, no warranty or liability indemnification is provided by the authors. For production security tool deployment, explicit legal review is strongly recommended, particularly given the known vulnerability and lack of maintenance. Vendor support for commercial incidents is unavailable.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Stale |
| Documentation | Limited |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Possible |
| Assessment confidence | High |
DeimosC2 contains CVE-2025-26244, a reflected XSS vulnerability in the frontend that allows attacker input to be rendered without sanitization, enabling session hijacking, credential theft, and malware injection. The codebase uses RSA key wrapping for agent communications (reasonable for confidentiality), but no authenticated encryption (AEAD) is mentioned, and no integrity verification details are provided. Multi-user access controls and role-based permissions are mentioned but not audited. The project has not undergone independent security review. Use only in isolated, non-production environments pending a comprehensive security audit and patching.
Alternatives to consider
Sliver (BishopFox)
Modern, actively maintained Golang C2 framework with similar multi-platform agent support, cleaner architecture, and no known critical vulnerabilities. Strong community and commercial backing.
Merlin (Russel Van Tuyl)
Lightweight, actively maintained HTTP/HTTPS C2 with reflective DLL support, better documentation, and regular updates. Smaller attack surface than DeimosC2.
Havoc (C5pider)
Modern, community-driven C2 framework written in C/C++ with improved OPSEC, modular agent design, and active maintenance. Stronger default security posture.
Build on DeimosC2 with DEV.co software developers
DeimosC2 is deprecated and contains a critical XSS vulnerability. Evaluate actively maintained alternatives like Sliver or Merlin, or contact us to build a secure, custom C2 framework tailored to your red team requirements.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
DeimosC2 FAQ
Is DeimosC2 safe to deploy in production?
Can I fork DeimosC2 and fix the XSS vulnerability?
What agent communication methods does DeimosC2 support?
How is the frontend secured?
Software development & web development with DEV.co
Need help beyond evaluating DeimosC2? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Don't deploy unmaintained C2 infrastructure
DeimosC2 is deprecated and contains a critical XSS vulnerability. Evaluate actively maintained alternatives like Sliver or Merlin, or contact us to build a secure, custom C2 framework tailored to your red team requirements.