Skip to main content

Tera Term TTSSH2 CVE-2026-60060

| EUVDEUVD-2026-45139 MEDIUM
Improper Handling of Length Parameter Inconsistency (CWE-130)
2026-07-17 jpcert GHSA-qcvw-2hm7-q2rp
5.1
CVSS 4.0 · Vendor: jpcert
Share

Severity by source

Vendor (jpcert) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Network vector confirmed by SSH protocol; PR:N because attacker controls the server and needs no client-side credentials; UI:R because victim must initiate the connection.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (jpcert).

CVSS VectorVendor: jpcert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
CVSS changed
Jul 17, 2026 - 05:22 NVD
6.3 (MEDIUM) 5.1 (MEDIUM)
Analysis Generated
Jul 17, 2026 - 05:18 vuln.today

DescriptionCVE.org

Improper Handling of Length Parameter Inconsistency (CWE-130) vulnerability exists in TTSSH2 plugin of Tera Term provided by TeraTerm Project. When Tera Term attempts to establish an SSH connection to a server set up by an attacker, out-of-bounds read/write may occur. As a result, the contents of adjacent memory regions may be transmitted to the server, and Tera Term may behave unexpected or terminate abnormally.

AnalysisAI

Out-of-bounds read/write in the TTSSH2 SSH plugin of Tera Term exposes users who connect to attacker-controlled SSH servers to memory disclosure and process crashes. A malicious SSH server can send crafted packets with inconsistent length parameters during connection establishment, causing the TTSSH2 plugin to read and write beyond allocated buffer boundaries - leaking adjacent memory contents (potentially including session data or credentials) back to the attacker's server. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker deploys malicious SSH server
Delivery
Social engineer or redirect victim to connect
Exploit
Victim initiates SSH session via Tera Term
Install
Server sends crafted packets with inconsistent length fields
C2
TTSSH2 performs out-of-bounds read/write
Execute
Adjacent memory contents exfiltrated to attacker server
Impact
Tera Term crashes or behaves abnormally

Vulnerability AssessmentAI

Exploitation The victim must actively initiate an SSH connection from a Windows system running Tera Term with the TTSSH2 plugin to an SSH server controlled by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.0 score of 6.3 (Medium) reflects a balanced but real threat: AV:N/AC:L indicates the attack is network-reachable with low complexity, but UI:R caps severity because the victim must actively initiate the SSH connection to the attacker's server. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a domain, deploys a malicious SSH server, and delivers a phishing message or DNS-redirects a Tera Term user to connect to it. Upon connection initiation, the malicious server responds with SSH handshake packets containing deliberately inconsistent length fields. …
Remediation Consult the TeraTerm Project security advisory at https://teratermproject.github.io/SA/JVN65294474-en.html for the official patched release version - no specific fixed version number was present in the intelligence data available for this analysis, so the exact upgrade target must be confirmed from the advisory before patching. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-60060 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy