Ssh
Monthly
OpenSSH before 10.3 fails to confirm connection multiplexing in proxy-mode sessions, allowing local attackers with user interaction to bypass intended access controls and potentially manipulate multiplexed connections. The vulnerability affects OpenSSH versions prior to 10.3p1 and requires local access with user interaction (UI:R) on the affected system; while the CVSS score is low (2.5) and integrity impact is limited, the omission of confirmation mechanisms in proxy-mode multiplexing creates a logic flaw that could enable unauthorized session hijacking or redirection in multi-user environments.
OpenSSH before 10.3 incorrectly interprets ECDSA algorithm specifications in PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms configuration options, allowing authenticated users to authenticate using unintended ECDSA variants. The vulnerability requires authenticated network access and high attack complexity, resulting in a low CVSS score of 3.1 with integrity impact but no confidentiality or availability loss. No public exploit code or active exploitation has been documented.
OpenSSH before version 10.3 allows local privilege escalation through shell metacharacter injection in usernames when non-default ssh_config token expansion (%) is enabled. A local authenticated attacker with limited privileges can execute arbitrary commands by crafting a malicious username containing shell metacharacters, provided the system administrator has configured ssh_config to expand user-controlled tokens. This requires low user privileges and high attack complexity due to configuration constraints, but impacts confidentiality and integrity on affected systems.
OpenSSH before version 10.3 mishandles the authorized_keys principals option when a principals list is combined with a Certificate Authority that uses certain comma character patterns, allowing authenticated local or remote users to disclose sensitive authorization information or manipulate authentication decisions. This vulnerability affects all OpenSSH versions prior to 10.3p1 and requires authenticated access (PR:L) with non-trivial attack complexity (AC:H), resulting in partial confidentiality and integrity impact. No public exploit code or active exploitation has been identified at time of analysis.
OpenSSH's legacy scp protocol (pre-10.3) can install downloaded files with elevated setuid/setgid permissions when root users transfer files with -O flag without -p. This enables privilege escalation vectors if attackers control file server content or conduct man-in-the-middle attacks (CVSS AV:N/AC:H/UI:R). No public exploit identified at time of analysis, though exploitation probability is moderate given the specific configuration requirements (root usage, legacy protocol flag, missing preserve-mode flag).
SCP client implementations across Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 are vulnerable to path traversal during file transfer, allowing a malicious SCP server to write files outside the designated working directory and potentially execute arbitrary code or modify system configuration. This vulnerability mirrors CVE-2019-6111 in OpenSSH; unauthenticated remote attackers can exploit it with high user interaction (the victim must initiate an SCP connection to a malicious server), resulting in confidentiality, integrity, and availability compromise. No public exploit code or active exploitation has been confirmed at the time of analysis.
A remote code execution vulnerability (CVSS 6.9) that allows denial of service. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Critical vulnerability in Lantronix EDS serial device server (EDS5000/EDS3000PS). Multiple injection and auth bypass vulnerabilities in the management interface.
A low‑privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip) with sudo. [CVSS 7.8 HIGH]
SSRF in Soft Serve Git server versions 0.6.0 to 0.11.3 allows authenticated attackers to make requests to internal services. PoC and patch available.
Unauthorized file access in NLTK through path traversal flaws in multiple CorpusReader classes (versions up to 3.9.2) allows unauthenticated attackers to read arbitrary files on affected systems, potentially exposing SSH keys, API tokens, and other sensitive data. The vulnerability affects NLP applications and machine learning APIs that process user-controlled file inputs without proper validation. No patch is currently available.
Unauthenticated SSH authentication bypass in Cisco Secure Firewall ASA allows remote attackers to log in as arbitrary users by exploiting insufficient input validation during the SSH key authentication phase, requiring only knowledge of a valid username and its associated public key. This vulnerability enables attackers to execute arbitrary commands on affected ASA devices with the privileges of the compromised user account. No patch is currently available.
Outdated MAC algorithms in SSH implementations for Mrs1000 and Lms1000 device firmware enable network-positioned attackers to tamper with session data integrity without user interaction. An attacker with network access can manipulate transmitted SSH traffic due to the use of cryptographically weak message authentication codes. No patch is currently available for affected devices.
Weak CBC cipher suite implementations in SSH services across SSH, LMS1000, and MRS1000 devices enable network-positioned attackers to observe or modify encrypted SSH traffic without authentication. The vulnerability requires user interaction and network access but poses a confidentiality risk to sensitive communications. No patch is currently available.
Gogs is an open source self-hosted Git service. [CVSS 8.8 HIGH]
Weblate versions up to 5.16.0 contains a vulnerability that allows attackers to an argument injection to `ssh-add` (CVSS 6.6).
A vulnerability was determined in Beetel 777VR1 up to 01.00.09. This impacts an unknown function of the component SSH Service. [CVSS 3.7 LOW]
Hardcoded OS credentials in Glory RBG-100 cash recycler systems using ISPK-08 software component. Physical cash handling equipment ships with known default credentials enabling complete system takeover.
The Beetel 777VR1 router's SSH/Telnet service contains insecure default initialization that allows local network attackers to achieve partial compromise of confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and the vendor has not released patches despite early notification. Affected devices running firmware version 01.00.09 and earlier require isolation from untrusted local networks until a security update becomes available.
There is a misconfiguration vulnerability inside the Infotainment ECU manufactured by BOSCH. The vulnerability happens during the startup phase of a specific systemd service, and as a result, the following developer features will be activated: the disabled firewall and the launched SSH server. [CVSS 6.8 MEDIUM]
A flaw was found in Dropbear. When running in multi-user mode and authenticating users, the dropbear ssh server does the socket forwardings requested by the remote client as root, only switching to the logged-in user upon spawning a shell or performing some operations like reading the user's files. [CVSS 5.4 MEDIUM]
ZOC Terminal 7.25.5 contains a denial of service vulnerability in the private key file input field that allows attackers to crash the application. [CVSS 7.5 HIGH]
SiYuan knowledge management system prior to 3.5.5 has a path traversal in /api/file/copyFile allowing arbitrary file operations on the server.
The Terraform/OpenTofu Proxmox Provider prior to version 0.93.1 contains a path traversal vulnerability in its SSH sudoer configuration documentation that permits attackers to escape directory restrictions using ../ sequences and modify arbitrary files on the system. Public exploit code exists for this vulnerability, affecting users who implement the documented SSH configuration. The vulnerability has been patched in version 0.93.1 and a fix is available.
OpenClaw AI assistant versions prior to 2026.1.29 contain two command injection vulnerabilities: unescaped user input in SSH project paths allows remote code execution on SSH hosts, and insufficient validation of SSH target parameters enables local command execution through malicious flag injection. An attacker can exploit these flaws to achieve arbitrary code execution either remotely via SSH or locally on the system running OpenClaw.
n8n is an open source workflow automation platform. [CVSS 8.1 HIGH]
Ziroom ZHOME A0101 devices running version 1.0.1.0 use hardcoded default credentials in the Dropbear SSH service, enabling unauthenticated remote attackers to gain unauthorized access with high impact to confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. While exploitation requires specific conditions, security professionals should prioritize assessment and credential rotation for affected systems.
Arbitrary file write in H2O-3 machine learning platform version 3.46.0.1 allows remote attackers to write data to any file on the server.
With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption.
with the restriction that the password is only randomized if the configured date versions up to 2022. contains a security vulnerability.
Soft Serve self-hosted Git server versions 0.11.2 and below have a critical authentication bypass that allows unauthenticated access to private repositories.
Operation And Maintenance Security Management System versions up to 3.0.12. is affected by command injection (CVSS 8.8).
Gitlab versions up to 18.6.4 is affected by allocation of resources without limits or throttling (CVSS 5.3).
Malicious wheel files can modify file permissions on critical system files during extraction in Python wheel versions 0.40.0-0.46.1, enabling attackers to alter SSH keys, configuration files, or executable scripts. This path traversal and permission manipulation flaw affects systems unpacking untrusted wheels and can lead to privilege escalation or arbitrary code execution. Public exploit code exists for this vulnerability, though a patch is available in version 0.46.2.
Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. [CVSS 8.8 HIGH]
SSH service disruption in Cisco IEC6400 Wireless Backhaul Edge Compute Software allows unauthenticated remote attackers to trigger denial of service through connection flooding due to missing rate limiting protections. An attacker can render the SSH service unresponsive by launching a DoS attack against the SSH port, though other device operations remain functional during the attack. No patch is currently available.
MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability that allows local attackers to view SSH connection passwords through Windows PowerShell process listing. [CVSS 6.2 MEDIUM]
Eclipse Che che-machine-exec exposes an unauthenticated JSON-RPC/WebSocket API on port 3333 that allows remote command execution and secret exfiltration from other users' developer workspace containers.
fabricators Ltd Vanilla OS 2 Core image v1.1.0 was discovered to contain static keys for the SSH service, allowing attackers to possibly execute a man-in-the-middle attack during connections with other hosts. [CVSS 6.4 MEDIUM]
Stored XSS in Termix File Manager (versions 1.7.0-1.9.0) allows attackers with SSH server access to execute arbitrary JavaScript by uploading malicious SVG files that bypass content sanitization. When a Termix user previews the crafted file, the payload executes within the application context with full access to sensitive operations. Public exploit code exists and no patch is currently available.
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can...
KAYSUS KS-WR1200 routers with firmware 107 expose SSH and TELNET services on the LAN interface with hardcoded root credentials (root:12345678). The administrator cannot disable these services or change the hardcoded password. [CVSS 5.4 MEDIUM]
KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. [CVSS 8.4 HIGH]
SUSE Harvester virtualization environment (1.5.x, 1.6.x) exposes the OS default SSH login password when using the interactive installer. This affects all hosts provisioned through the interactive method, potentially compromising entire virtualization clusters.
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. [CVSS 3.1 LOW]
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. [CVSS 5.3 MEDIUM]
FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system. [CVSS 7.5 HIGH]
An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. [CVSS 8.8 HIGH]
Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. [CVSS 7.5 HIGH]
badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. [CVSS 5.3 MEDIUM]
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with basic access can extract the key, SSH to the server as root, and fully compromise the Coolify instance and all managed infrastructure. PoC available.
A critical command injection vulnerability exists in the Cybersecurity AI (CAI) framework versions 0.5.9 and below, allowing attackers to execute arbitrary commands through unsanitized SSH parameters (username, host, port) in the run_ssh_command_with_credentials() function accessible to AI agents. The vulnerability has a publicly available proof-of-concept exploit and enables remote code execution with potential for complete system compromise, though real-world exploitation probability remains relatively low at 0.12% EPSS score despite the high CVSS rating of 9.6.
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
CVE-2025-7503 is a security vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems.
Privilege escalation flaw in authd's temporary user record handling during pre-authentication NSS operations that causes first-time SSH login users to be incorrectly assigned root group membership within their session context. This allows authenticated users (PR:L) to gain elevated group privileges over the network (AV:N) with low complexity, affecting system confidentiality (C:H) and integrity (I:L). The vulnerability has a high CVSS score of 8.5, though real-world exploitation requires valid login credentials and depends on authentication infrastructure specifics.
Critical authentication bypass vulnerability in Cisco Integrated Management Controller (IMC) across multiple UCS server platforms that allows authenticated remote attackers to escalate privileges and access internal services with elevated permissions via crafted SSH syntax. The vulnerability affects UCS B-Series, C-Series, S-Series, and X-Series servers, enabling attackers to create administrator accounts and modify system configurations. With a CVSS score of 8.8 and low attack complexity requiring only valid credentials, this vulnerability poses significant risk to data center infrastructure and should be prioritized for patching.
Man-in-the-middle vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) caused by insufficient SSH host key validation, allowing unauthenticated remote attackers to impersonate NDFC-managed devices and intercept SSH traffic. This vulnerability affects Cisco NDFC deployments and could lead to credential capture and device impersonation with a CVSS score of 8.7 (High). Without confirmed KEV status or public POC availability noted in standard databases, organizations should prioritize patching based on CVSS severity and the network-accessible nature of the vulnerability (AV:N).
An OpenSSH daemon listens on TCP port 22. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.
Improper input validation in OpenSSH for Windows allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
VyOS 1.3 through 1.5 (fixed in 1.4.2) or any Debian-based system using dropbear in combination with live-build has the same Dropbear private host keys across different installations. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Percona PMM Server OVA images ship with default service account credentials that grant SSH access and sudo to root, exposing all monitoring data and managed database credentials. The scope change reflects that compromising the monitoring server gives access to all monitored infrastructure.
A flaw was found in the OpenSSH package. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 42.5% and no vendor patch available.
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 60.0%.
OpenSSH before 10.3 fails to confirm connection multiplexing in proxy-mode sessions, allowing local attackers with user interaction to bypass intended access controls and potentially manipulate multiplexed connections. The vulnerability affects OpenSSH versions prior to 10.3p1 and requires local access with user interaction (UI:R) on the affected system; while the CVSS score is low (2.5) and integrity impact is limited, the omission of confirmation mechanisms in proxy-mode multiplexing creates a logic flaw that could enable unauthorized session hijacking or redirection in multi-user environments.
OpenSSH before 10.3 incorrectly interprets ECDSA algorithm specifications in PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms configuration options, allowing authenticated users to authenticate using unintended ECDSA variants. The vulnerability requires authenticated network access and high attack complexity, resulting in a low CVSS score of 3.1 with integrity impact but no confidentiality or availability loss. No public exploit code or active exploitation has been documented.
OpenSSH before version 10.3 allows local privilege escalation through shell metacharacter injection in usernames when non-default ssh_config token expansion (%) is enabled. A local authenticated attacker with limited privileges can execute arbitrary commands by crafting a malicious username containing shell metacharacters, provided the system administrator has configured ssh_config to expand user-controlled tokens. This requires low user privileges and high attack complexity due to configuration constraints, but impacts confidentiality and integrity on affected systems.
OpenSSH before version 10.3 mishandles the authorized_keys principals option when a principals list is combined with a Certificate Authority that uses certain comma character patterns, allowing authenticated local or remote users to disclose sensitive authorization information or manipulate authentication decisions. This vulnerability affects all OpenSSH versions prior to 10.3p1 and requires authenticated access (PR:L) with non-trivial attack complexity (AC:H), resulting in partial confidentiality and integrity impact. No public exploit code or active exploitation has been identified at time of analysis.
OpenSSH's legacy scp protocol (pre-10.3) can install downloaded files with elevated setuid/setgid permissions when root users transfer files with -O flag without -p. This enables privilege escalation vectors if attackers control file server content or conduct man-in-the-middle attacks (CVSS AV:N/AC:H/UI:R). No public exploit identified at time of analysis, though exploitation probability is moderate given the specific configuration requirements (root usage, legacy protocol flag, missing preserve-mode flag).
SCP client implementations across Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 are vulnerable to path traversal during file transfer, allowing a malicious SCP server to write files outside the designated working directory and potentially execute arbitrary code or modify system configuration. This vulnerability mirrors CVE-2019-6111 in OpenSSH; unauthenticated remote attackers can exploit it with high user interaction (the victim must initiate an SCP connection to a malicious server), resulting in confidentiality, integrity, and availability compromise. No public exploit code or active exploitation has been confirmed at the time of analysis.
A remote code execution vulnerability (CVSS 6.9) that allows denial of service. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Critical vulnerability in Lantronix EDS serial device server (EDS5000/EDS3000PS). Multiple injection and auth bypass vulnerabilities in the management interface.
A low‑privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip) with sudo. [CVSS 7.8 HIGH]
SSRF in Soft Serve Git server versions 0.6.0 to 0.11.3 allows authenticated attackers to make requests to internal services. PoC and patch available.
Unauthorized file access in NLTK through path traversal flaws in multiple CorpusReader classes (versions up to 3.9.2) allows unauthenticated attackers to read arbitrary files on affected systems, potentially exposing SSH keys, API tokens, and other sensitive data. The vulnerability affects NLP applications and machine learning APIs that process user-controlled file inputs without proper validation. No patch is currently available.
Unauthenticated SSH authentication bypass in Cisco Secure Firewall ASA allows remote attackers to log in as arbitrary users by exploiting insufficient input validation during the SSH key authentication phase, requiring only knowledge of a valid username and its associated public key. This vulnerability enables attackers to execute arbitrary commands on affected ASA devices with the privileges of the compromised user account. No patch is currently available.
Outdated MAC algorithms in SSH implementations for Mrs1000 and Lms1000 device firmware enable network-positioned attackers to tamper with session data integrity without user interaction. An attacker with network access can manipulate transmitted SSH traffic due to the use of cryptographically weak message authentication codes. No patch is currently available for affected devices.
Weak CBC cipher suite implementations in SSH services across SSH, LMS1000, and MRS1000 devices enable network-positioned attackers to observe or modify encrypted SSH traffic without authentication. The vulnerability requires user interaction and network access but poses a confidentiality risk to sensitive communications. No patch is currently available.
Gogs is an open source self-hosted Git service. [CVSS 8.8 HIGH]
Weblate versions up to 5.16.0 contains a vulnerability that allows attackers to an argument injection to `ssh-add` (CVSS 6.6).
A vulnerability was determined in Beetel 777VR1 up to 01.00.09. This impacts an unknown function of the component SSH Service. [CVSS 3.7 LOW]
Hardcoded OS credentials in Glory RBG-100 cash recycler systems using ISPK-08 software component. Physical cash handling equipment ships with known default credentials enabling complete system takeover.
The Beetel 777VR1 router's SSH/Telnet service contains insecure default initialization that allows local network attackers to achieve partial compromise of confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and the vendor has not released patches despite early notification. Affected devices running firmware version 01.00.09 and earlier require isolation from untrusted local networks until a security update becomes available.
There is a misconfiguration vulnerability inside the Infotainment ECU manufactured by BOSCH. The vulnerability happens during the startup phase of a specific systemd service, and as a result, the following developer features will be activated: the disabled firewall and the launched SSH server. [CVSS 6.8 MEDIUM]
A flaw was found in Dropbear. When running in multi-user mode and authenticating users, the dropbear ssh server does the socket forwardings requested by the remote client as root, only switching to the logged-in user upon spawning a shell or performing some operations like reading the user's files. [CVSS 5.4 MEDIUM]
ZOC Terminal 7.25.5 contains a denial of service vulnerability in the private key file input field that allows attackers to crash the application. [CVSS 7.5 HIGH]
SiYuan knowledge management system prior to 3.5.5 has a path traversal in /api/file/copyFile allowing arbitrary file operations on the server.
The Terraform/OpenTofu Proxmox Provider prior to version 0.93.1 contains a path traversal vulnerability in its SSH sudoer configuration documentation that permits attackers to escape directory restrictions using ../ sequences and modify arbitrary files on the system. Public exploit code exists for this vulnerability, affecting users who implement the documented SSH configuration. The vulnerability has been patched in version 0.93.1 and a fix is available.
OpenClaw AI assistant versions prior to 2026.1.29 contain two command injection vulnerabilities: unescaped user input in SSH project paths allows remote code execution on SSH hosts, and insufficient validation of SSH target parameters enables local command execution through malicious flag injection. An attacker can exploit these flaws to achieve arbitrary code execution either remotely via SSH or locally on the system running OpenClaw.
n8n is an open source workflow automation platform. [CVSS 8.1 HIGH]
Ziroom ZHOME A0101 devices running version 1.0.1.0 use hardcoded default credentials in the Dropbear SSH service, enabling unauthenticated remote attackers to gain unauthorized access with high impact to confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. While exploitation requires specific conditions, security professionals should prioritize assessment and credential rotation for affected systems.
Arbitrary file write in H2O-3 machine learning platform version 3.46.0.1 allows remote attackers to write data to any file on the server.
With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption.
with the restriction that the password is only randomized if the configured date versions up to 2022. contains a security vulnerability.
Soft Serve self-hosted Git server versions 0.11.2 and below have a critical authentication bypass that allows unauthenticated access to private repositories.
Operation And Maintenance Security Management System versions up to 3.0.12. is affected by command injection (CVSS 8.8).
Gitlab versions up to 18.6.4 is affected by allocation of resources without limits or throttling (CVSS 5.3).
Malicious wheel files can modify file permissions on critical system files during extraction in Python wheel versions 0.40.0-0.46.1, enabling attackers to alter SSH keys, configuration files, or executable scripts. This path traversal and permission manipulation flaw affects systems unpacking untrusted wheels and can lead to privilege escalation or arbitrary code execution. Public exploit code exists for this vulnerability, though a patch is available in version 0.46.2.
Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. [CVSS 8.8 HIGH]
SSH service disruption in Cisco IEC6400 Wireless Backhaul Edge Compute Software allows unauthenticated remote attackers to trigger denial of service through connection flooding due to missing rate limiting protections. An attacker can render the SSH service unresponsive by launching a DoS attack against the SSH port, though other device operations remain functional during the attack. No patch is currently available.
MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability that allows local attackers to view SSH connection passwords through Windows PowerShell process listing. [CVSS 6.2 MEDIUM]
Eclipse Che che-machine-exec exposes an unauthenticated JSON-RPC/WebSocket API on port 3333 that allows remote command execution and secret exfiltration from other users' developer workspace containers.
fabricators Ltd Vanilla OS 2 Core image v1.1.0 was discovered to contain static keys for the SSH service, allowing attackers to possibly execute a man-in-the-middle attack during connections with other hosts. [CVSS 6.4 MEDIUM]
Stored XSS in Termix File Manager (versions 1.7.0-1.9.0) allows attackers with SSH server access to execute arbitrary JavaScript by uploading malicious SVG files that bypass content sanitization. When a Termix user previews the crafted file, the payload executes within the application context with full access to sensitive operations. Public exploit code exists and no patch is currently available.
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can...
KAYSUS KS-WR1200 routers with firmware 107 expose SSH and TELNET services on the LAN interface with hardcoded root credentials (root:12345678). The administrator cannot disable these services or change the hardcoded password. [CVSS 5.4 MEDIUM]
KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. [CVSS 8.4 HIGH]
SUSE Harvester virtualization environment (1.5.x, 1.6.x) exposes the OS default SSH login password when using the interactive installer. This affects all hosts provisioned through the interactive method, potentially compromising entire virtualization clusters.
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. [CVSS 3.1 LOW]
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. [CVSS 5.3 MEDIUM]
FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system. [CVSS 7.5 HIGH]
An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. [CVSS 8.8 HIGH]
Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. [CVSS 7.5 HIGH]
badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. [CVSS 5.3 MEDIUM]
Coolify through v4.0.0-beta.434 exposes the root user's SSH private key to low-privileged team members. Any user with basic access can extract the key, SSH to the server as root, and fully compromise the Coolify instance and all managed infrastructure. PoC available.
A critical command injection vulnerability exists in the Cybersecurity AI (CAI) framework versions 0.5.9 and below, allowing attackers to execute arbitrary commands through unsanitized SSH parameters (username, host, port) in the run_ssh_command_with_credentials() function accessible to AI agents. The vulnerability has a publicly available proof-of-concept exploit and enables remote code execution with potential for complete system compromise, though real-world exploitation probability remains relatively low at 0.12% EPSS score despite the high CVSS rating of 9.6.
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
CVE-2025-7503 is a security vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems.
Privilege escalation flaw in authd's temporary user record handling during pre-authentication NSS operations that causes first-time SSH login users to be incorrectly assigned root group membership within their session context. This allows authenticated users (PR:L) to gain elevated group privileges over the network (AV:N) with low complexity, affecting system confidentiality (C:H) and integrity (I:L). The vulnerability has a high CVSS score of 8.5, though real-world exploitation requires valid login credentials and depends on authentication infrastructure specifics.
Critical authentication bypass vulnerability in Cisco Integrated Management Controller (IMC) across multiple UCS server platforms that allows authenticated remote attackers to escalate privileges and access internal services with elevated permissions via crafted SSH syntax. The vulnerability affects UCS B-Series, C-Series, S-Series, and X-Series servers, enabling attackers to create administrator accounts and modify system configurations. With a CVSS score of 8.8 and low attack complexity requiring only valid credentials, this vulnerability poses significant risk to data center infrastructure and should be prioritized for patching.
Man-in-the-middle vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) caused by insufficient SSH host key validation, allowing unauthenticated remote attackers to impersonate NDFC-managed devices and intercept SSH traffic. This vulnerability affects Cisco NDFC deployments and could lead to credential capture and device impersonation with a CVSS score of 8.7 (High). Without confirmed KEV status or public POC availability noted in standard databases, organizations should prioritize patching based on CVSS severity and the network-accessible nature of the vulnerability (AV:N).
An OpenSSH daemon listens on TCP port 22. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.
Improper input validation in OpenSSH for Windows allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
VyOS 1.3 through 1.5 (fixed in 1.4.2) or any Debian-based system using dropbear in combination with live-build has the same Dropbear private host keys across different installations. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Percona PMM Server OVA images ship with default service account credentials that grant SSH access and sudo to root, exposing all monitoring data and managed database credentials. The scope change reflects that compromising the monitoring server gives access to all monitored infrastructure.
A flaw was found in the OpenSSH package. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 42.5% and no vendor patch available.
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 60.0%.