SSH
CVE-2025-14282
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in Dropbear. When running in multi-user mode and authenticating users, the dropbear ssh server does the socket forwardings requested by the remote client as root, only switching to the logged-in user upon spawning a shell or performing some operations like reading the user's files. With the recent ability of also using unix domain sockets as the forwarding destination any user able to log in via ssh can connect to any unix socket with the root's credentials, bypassing both file system restrictions and any SO_PEERCRED / SO_PASSCRED checks performed by the peer.
AnalysisAI
A flaw was found in Dropbear. When running in multi-user mode and authenticating users, the dropbear ssh server does the socket forwardings requested by the remote client as root, only switching to the logged-in user upon spawning a shell or performing some operations like reading the user's files. [CVSS 5.4 MEDIUM]
Technical ContextAI
A flaw was found in Dropbear. When running in multi-user mode and authenticating users, the dropbear ssh server does the socket forwardings requested by the remote client as root, only switching to the logged-in user upon spawning a shell or performing some operations like reading the user's files. With the recent ability of also using unix domain sockets as the forwarding destination any user able to log in via ssh can connect to any unix socket with the root's credentials, bypassing both file
Affected ProductsAI
Dropbear
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Same weakness CWE-266 – Incorrect Privilege Assignment
View allShare
External POC / Exploit Code
Leaving vuln.today