A critical vulnerability (CVE-2025-61984) in OpenSSH’s ProxyCommand feature allows remote attackers to execute arbitrary code on client systems by exploiting inadequate filtering of control characters in usernames. The flaw arises when the `%r` token in `~/.ssh/config` expands malicious usernames containing newline injections, causing unintended command execution with the SSH client’s privileges. Proof-of-concept exploits demonstrate attacks via crafted Git submodule URLs, where a malicious repository’s `.gitmodules` entry triggers the vulnerability if the user’s SSH config uses `ProxyCommand` with `%r`.The issue affects OpenSSH clients ≤ 10.0p1, posing severe risks to organizations relying on SSH proxies, including cloud gateways like Teleport. While the flaw requires specific prerequisites (e.g., unquoted `%r` in config), its exploitation could lead to full system compromise, data theft, or lateral movement within networks. Mitigations include upgrading to OpenSSH 10.1p1+, quoting the `%r` token, or restricting SSH transport in Git. The vulnerability’s CVSS 3.1 score of 8.1 underscores its high severity, particularly for enterprises with exposed SSH proxy configurations.
Source: https://cyberpress.org/openssh-vulnerability-proxycommand/
TPRM report: https://www.rankiteo.com/company/linuxnewmedia
"id": "lin1293712100725",
"linkid": "linuxnewmedia",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Cybersecurity/IT Infrastructure',
'location': 'Global',
'name': 'OpenSSH Project',
'type': 'Open-Source Software'},
{'location': 'Global',
'name': 'Organizations using OpenSSH clients ≤ 10.0p1',
'type': ['Enterprises',
'Cloud Service Providers',
'Developers']},
{'industry': 'Cybersecurity/Cloud Infrastructure',
'location': 'Global',
'name': 'Teleport (and similar cloud gateway services)',
'type': 'SSH Proxy Solutions'}],
'attack_vector': ['Network',
'ProxyCommand Misconfiguration',
'Git Submodule Exploitation'],
'customer_advisories': ['Users of affected OpenSSH versions urged to upgrade',
'Organizations relying on SSH proxies advised to '
'apply mitigations'],
'description': 'A critical vulnerability in OpenSSH’s ProxyCommand feature '
'(CVE-2025-61984) enables remote attackers to execute '
'arbitrary code on client systems due to inadequate filtering '
'of control characters in usernames when expanding the '
'ProxyCommand string. The flaw arises when the %r token is '
'used in SSH configurations, allowing attackers to inject line '
'breaks that disrupt the intended exec invocation, leading to '
'arbitrary command execution with the privileges of the SSH '
'client. A proof-of-concept exploit has been published, '
'demonstrating the attack across multiple shells (Bash, fish, '
'csh). The vulnerability affects OpenSSH client versions up to '
'and including 10.0p1. Common attack vectors include malicious '
'Git submodule URLs with crafted usernames, triggering the '
'exploit when ProxyCommand is configured with %r.',
'impact': {'brand_reputation_impact': ['Potential loss of trust in affected '
"organizations' security practices"],
'operational_impact': ['Potential unauthorized command execution '
'on client systems',
'Compromise of SSH sessions',
'Risk of lateral movement within networks'],
'systems_affected': ['OpenSSH clients ≤ 10.0p1',
'Systems using SSH proxies (e.g., Teleport, '
'cloud gateways)',
'Environments with Git submodules using SSH '
'transport']},
'initial_access_broker': {'entry_point': ['Malicious Git submodule URLs',
'Crafted usernames in SSH '
'ProxyCommand'],
'high_value_targets': ['SSH client systems',
'Cloud gateways',
'Development environments '
'with Git submodules']},
'investigation_status': 'Ongoing (vulnerability disclosed, proof-of-concept '
'released, mitigations provided)',
'lessons_learned': ['Importance of input validation in SSH configurations, '
'especially for dynamic tokens like %r',
'Risks of unfiltered usernames in ProxyCommand directives',
'Need for prompt patching of critical infrastructure '
'components like OpenSSH',
'Significance of securing Git submodule configurations to '
'prevent supply chain attacks'],
'post_incident_analysis': {'corrective_actions': ['Patch OpenSSH to disallow '
'control characters in '
'usernames (implemented in '
'10.1p1)',
'Enforce quoting of %r in '
'ProxyCommand '
'configurations',
'Restrict Git submodule SSH '
'transport to mitigate '
'attack surface'],
'root_causes': ['Inadequate filtering of control '
'characters (e.g., newlines) in '
'usernames for ProxyCommand',
'Use of unquoted %r token in SSH '
'configurations',
'Lack of input validation for '
'dynamic SSH directives']},
'recommendations': ['Upgrade OpenSSH clients to version 10.1p1 or later '
'immediately',
'Audit and secure SSH configurations, particularly '
'ProxyCommand directives using %r',
'Quote the %r token in ProxyCommand to prevent injection '
"(e.g., `'%r@%h:%p'`)",
'Restrict Git submodule SSH transport (`git config '
'--global protocol.ssh.allow user`)',
'Monitor for suspicious SSH ProxyCommand activity or '
'unexpected command execution',
'Educate developers and administrators on the risks of '
'unfiltered usernames in SSH configurations',
'Review cloud gateway and SSH proxy solutions (e.g., '
'Teleport) for exposure to this vulnerability'],
'references': [{'source': 'CVE Details for CVE-2025-61984'},
{'source': 'OpenSSH Project Advisory'},
{'source': 'Proof-of-Concept Exploit (Bash, fish, csh '
'shells)'}],
'response': {'communication_strategy': ['Public disclosure of vulnerability '
'(CVE-2025-61984)',
'Release of proof-of-concept for '
'awareness',
'Advisories for administrators to '
'apply mitigations'],
'containment_measures': ['Quoting the %r token in SSH '
'configurations (e.g., `ProxyCommand '
'/usr/bin/nc -X connect -x proxy:8080 '
"'%r@%h:%p'`)",
'Disabling unintended SSH transport for '
'Git submodules (`git config --global '
'protocol.ssh.allow user`)',
'Limiting URL handlers that pass '
'unfiltered SSH usernames'],
'enhanced_monitoring': ['Monitoring for unusual SSH ProxyCommand '
'activity',
'Auditing Git submodule configurations'],
'remediation_measures': ['Upgrading OpenSSH clients to version '
'10.1p1 or later (definitive fix)',
'Applying patches or workarounds for '
'affected systems']},
'stakeholder_advisories': ['Administrators of OpenSSH clients',
'Cloud gateway/SSH proxy service providers',
'Developers using Git submodules with SSH '
'transport'],
'title': 'Critical Remote Code Execution Vulnerability in OpenSSH’s '
'ProxyCommand Feature (CVE-2025-61984)',
'type': ['Vulnerability', 'Remote Code Execution (RCE)'],
'vulnerability_exploited': 'CVE-2025-61984 (Inadequate filtering of control '
'characters in usernames for ProxyCommand in '
'OpenSSH)'}