CVE-2025-61984

Name of the Vulnerable Software and Affected Versions OpenSSH versions prior to 10.1 Alma Linux (affected versions not specified) SUSE (affected versions not specified) IBM AIX (affected versions not specified) Fortinet FortiWeb (affected versions not specified)

Description OpenSSH before version 10.1 contains a command injection flaw within the ProxyCommand functionality. This issue arises from the improper handling of control characters within usernames, potentially allowing an attacker to execute arbitrary code. The vulnerability is triggered when a ProxyCommand is used and the username contains control characters originating from untrusted sources, such as the command line or through %-sequence expansion in a configuration file. Successful exploitation could lead to remote code execution. The vulnerability is actively being exploited, and proof-of-concept exploits are publicly available. The ProxyCommand feature is used in various environments, including bastions, CI/CD pipelines, and helper scripts, increasing the potential attack surface.

Recommendations Upgrade OpenSSH to version 10.1 or later. Disable or limit the use of the ProxyCommand functionality if it is not essential. If ProxyCommand must be used, avoid building SSH commands from untrusted input. Set a literal User in the ssh config to avoid unsafe % expansions. Hunt for unusual ProxyCommand invocations in auth.log. Rotate SSH keys and tighten ingress access control lists. Treat potentially compromised hosts as such until proven otherwise.