cbcvebase.
CVE-2012-6066
published 2012-12-04

CVE-2012-6066: freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with…

PriorityP273critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
39.51%
98.4th percentile
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.

Affected

3 ranges
VendorProductVersion rangeFixed in
freesshdfreesshd<= 1.2.6
freesshdfreesshd
freesshdfreesshd

Detection & IOCsextracted from sources · hover to see the quote

filenamefreeSSHd.exe
filenamenullevent.exe
filenamenullevent.mof
pathwbem/mof/nullevent.mof
pathc:\windows\system32\nullevent.exe
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23080.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23079.zip
  • Detect freeSSHd authentication bypass by identifying SSH banner 'SSH-2.0-WeOnlyDo 2.1.3' or 'SSH-2.0-WeOnlyDo 2.0.6' on port 22; these specific versions are confirmed vulnerable.
  • Alert on SSH connections that successfully authenticate using only a freshly generated ephemeral RSA key (2048-bit) with no prior key exchange history — characteristic of the bypass technique.
  • Monitor for upload of 'nullevent.mof' to the WMI MOF auto-execution path (wbem/mof/) via SFTP, which is the post-exploitation persistence/execution technique used with this vulnerability.
  • Detect VBS-based payload staging over SSH: look for sequences of base64-encoded VBS commands executed via SSH shell, consistent with CmdStagerVBS post-exploitation.
  • Flag SSH login attempts using common default usernames (root, admin, Administrator, webadmin, sysadmin, netadmin, guest, user, web, test, ssh, sftp, ftp) against freeSSHd services, especially when authentication succeeds without a valid credential exchange.
  • ·The Metasploit module targets freeSSHd <= 1.2.6 and requires net/ssh gem to be installed; the bypass works against both password and public key authentication modes.
  • ·The VBS payload upload step can take up to 5 minutes; defenders should account for prolonged SSH session activity as a sign of staged payload delivery.
  • ·The exploit leverages the STUXNET WMI MOF execution technique for code execution after authentication bypass; detection should cover both the auth bypass and the subsequent MOF-based execution chain.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.