CVE-2025-61984
published 2025-10-06CVE-2025-61984: ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution…
PriorityP417low3.6CVSS 3.1
AVLACHPRLUINSUCLILAN
EPSS
0.22%
12.5th percentile
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | < openssh 1:9.2p1-2+deb12u8 (bookworm) | openssh 1:9.2p1-2+deb12u8 (bookworm) |
| msrc | azl3_openssh_9.8p1-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_openssh_9.8p1-5_on_azure_linux_3.0 | — | — |
| msrc | cbl2_openssh_8.9p1-8_on_cbl_mariner_2.0 | — | — |
| openbsd | openssh | < 10.1 | 10.1 |
| openbsd | openssh | >= 0 < 1:9.2p1-2+deb12u8 | 1:9.2p1-2+deb12u8 |
| openbsd | openssh | >= 0 < 1:10.0p1-7+deb13u1 | 1:10.0p1-7+deb13u1 |
| openbsd | openssh | >= 0 < 1:10.1p1-1 | 1:10.1p1-1 |
| openbsd | openssh | >= 0 < 1:8.9p1-3ubuntu0.14 | 1:8.9p1-3ubuntu0.14 |
| openbsd | openssh | >= 0 < 1:9.6p1-3ubuntu13.15 | 1:9.6p1-3ubuntu13.15 |
| openbsd | openssh | >= 0 < 1:10.0p1-5ubuntu5.1 | 1:10.0p1-5ubuntu5.1 |
| openbsd | openssh | >= 0 < 1:8.2p1-4ubuntu0.13+esm1 | 1:8.2p1-4ubuntu0.13+esm1 |
| paloalto | pan-os | — | — |
| paloalto | prisma_sd | — | — |
CVSS provenance
nvdv3.13.6LOWCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
osv3.6LOW
vendor_debian3.6LOW
vendor_msrc3.6LOW
vendor_redhat3.6LOW
vendor_ubuntu3.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenSSH vulnerabilities
vendor_ubuntu·2026-03-12·CVSS 3.6
CVE-2025-61984 [LOW] OpenSSH vulnerabilities
Title: OpenSSH vulnerabilities
Summary: Several security issues were fixed in OpenSSH.
Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly
handled disconnecting clients. In non-default configurations where the
GSSAPIKeyExchange setting is enabled, a remote attacker could use this
issue to cause OpenSSH to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2026-3497)
David Leadbeater discovered that OpenSSH incorrectly handled certain
control characters in usernames. When untrusted usernames and the
ProxyCommand are being used, an attacker could possibly use this issue to
execute arbitrary code. (CVE-2025-61984)
David Leadbeater discovered that OpenSSH incorrectly handled NULL
characters in ssh:// URIs. When the ProxyCommand is being u
Ubuntu
OpenSSH vulnerabilities
vendor_ubuntu·2026-03-12·CVSS 3.6
CVE-2025-61984 [LOW] OpenSSH vulnerabilities
Title: OpenSSH vulnerabilities
Summary: Several security issues were fixed in OpenSSH.
USN-8090-1 fixed vulnerabilities in OpenSSH. This update provides the
corresponding updates for Ubuntu 20.04 LTS.
Original advisory details:
Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly
handled disconnecting clients. In non-default configurations where the
GSSAPIKeyExchange setting is enabled, a remote attacker could use this
issue to cause OpenSSH to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2026-3497)
David Leadbeater discovered that OpenSSH incorrectly handled certain
control characters in usernames. When untrusted usernames and the
ProxyCommand are being used, an attacker could possibly use this issue to
execute arbitrary code.
Palo Alto
PAN-SA-2025-0017 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
vendor_paloalto·2025-11-02·CVSS 3.6
CVE-2025-61984 [LOW] PAN-SA-2025-0017 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
PAN-SA-2025-0017 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Prisma SD-WAN ION. While Prisma SD-WAN ION may include the
CVEs: CVE-2025-61984, CVE-2025-61985
Affected products: Prisma SD
Microsoft
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrust
vendor_msrc·2025-10-14·CVSS 3.6
CVE-2025-61984 [LOW] CWE-159 ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrust
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to tra
Red Hat
openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand
vendor_redhat·2025-10-06·CVSS 3.6
CVE-2025-61984 [LOW] CWE-159 openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand
openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
A flaw was found in OpenSSH where control characters in usernames were not properly validated when sourced from untrusted inputs like the command line or configuration expansion. If a ProxyCommand is used, these control characters could modify command behavior, potentially leading to code execution.
Statement: T
Palo Alto
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2025-02-12·CVSS 7.1
CVE-2015-5312 [HIGH] PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
T he Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2015-5312, CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, CVE-2016-4738, CVE-2018-1111, CVE-2018-14634, CVE-2018-18653, CVE-2019-0145, CVE-2019-8331, CVE-2020-0599, CVE-2020-14343, CVE-2020-14779, CVE-2020-27844, CVE-2020-29569, CVE-2021-21315, CVE-2021-27853, CVE-2021-27854, CVE-2021-27861, CVE-2021-27862, CVE-2021-3618, CVE-2021-3711, CVE-2022-2097, CVE-2022-22816, CVE-2022-40303, CVE-2022-41723, CVE-2022-41741, CVE-2022-41742, CVE-2023-3247, CVE-2023-38408, CVE-2023-44466, CVE-2023-50781, CVE-2023-50782, CVE-2024-12084, CV
Debian
CVE-2025-61984: openssh - ssh in OpenSSH before 10.1 allows control characters in usernames that originate...
vendor_debian·2025·CVSS 3.6
CVE-2025-61984 [LOW] CVE-2025-61984: openssh - ssh in OpenSSH before 10.1 allows control characters in usernames that originate...
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
Scope: local
bookworm: resolved (fixed in 1:9.2p1-2+deb12u8)
bullseye: open
forky: resolved (fixed in 1:10.1p1-1)
sid: resolved (fixed in 1:10.1p1-1)
trixie: resolved (fixed in 1:10.0p1-7+deb13u1)
OSV
openssh vulnerabilities
osv·2026-03-12·CVSS 3.6
CVE-2026-3497 [LOW] openssh vulnerabilities
openssh vulnerabilities
Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly
handled disconnecting clients. In non-default configurations where the
GSSAPIKeyExchange setting is enabled, a remote attacker could use this
issue to cause OpenSSH to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2026-3497)
David Leadbeater discovered that OpenSSH incorrectly handled certain
control characters in usernames. When untrusted usernames and the
ProxyCommand are being used, an attacker could possibly use this issue to
execute arbitrary code. (CVE-2025-61984)
David Leadbeater discovered that OpenSSH incorrectly handled NULL
characters in ssh:// URIs. When the ProxyCommand is being used, an attacker
could possibly use this issue to execute arbitr
OSV
openssh vulnerabilities
osv·2026-03-12·CVSS 3.6
CVE-2026-3497 [LOW] openssh vulnerabilities
openssh vulnerabilities
USN-8090-1 fixed vulnerabilities in OpenSSH. This update provides the
corresponding updates for Ubuntu 20.04 LTS.
Original advisory details:
Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly
handled disconnecting clients. In non-default configurations where the
GSSAPIKeyExchange setting is enabled, a remote attacker could use this
issue to cause OpenSSH to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2026-3497)
David Leadbeater discovered that OpenSSH incorrectly handled certain
control characters in usernames. When untrusted usernames and the
ProxyCommand are being used, an attacker could possibly use this issue to
execute arbitrary code. (CVE-2025-61984)
David Leadbeater discovered that OpenSSH incor
GHSA
GHSA-hh67-847q-q3h9: ssh in OpenSSH before 10
ghsa_unreviewed·2025-10-06
CVE-2025-61984 [LOW] CWE-159 GHSA-hh67-847q-q3h9: ssh in OpenSSH before 10
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
OSV
CVE-2025-61984: ssh in OpenSSH before 10
osv·2025-10-06·CVSS 3.6
CVE-2025-61984 [LOW] CVE-2025-61984: ssh in OpenSSH before 10
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-61984 openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand
bugzilla·2025-10-06·CVSS 3.6
CVE-2025-61984 [LOW] CVE-2025-61984 openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand
CVE-2025-61984 openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2025:23479 https://access.redhat.com/errata/RHSA-2025:23479
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:23480 https://access.red
Bleepingcomputer
Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws
blogs_bleepingcomputer·2025-10-14·CVSS 7.8
[HIGH] Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws
## Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws
## Lawrence Abrams
80 Elevation of Privilege Vulnerabilities
11 Security Feature Bypass Vulnerabilities
31 Remote Code Execution Vulnerabilities
28 Information Disclosure Vulnerabilities
11 Denial of Service Vulnerabilities
10 Spoofing Vulnerabilities
When BleepingComputer reports on the Patch Tuesday security updates, we only count those released today by Microsoft. Therefore, the number of flaws does not include those fixed in Azure, Mariner, Microsoft Edge, and other vulnerabilities earlier this month.
Notably, Windows 10 reaches the end of support today , with this being the last Patch Tuesday where Microsoft provides free security updates to the venerable operating system.
To continue receiving security upd
https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2https://www.openssh.com/releasenotes.html#10.1p1https://www.openwall.com/lists/oss-security/2025/10/06/1http://www.openwall.com/lists/oss-security/2025/10/07/1http://www.openwall.com/lists/oss-security/2025/10/12/1https://www.vicarius.io/vsociety/posts/cve-2025-61984-detection-script-remote-code-execution-vulnerability-affecting-opensshhttps://www.vicarius.io/vsociety/posts/cve-2025-61984-mitigation-script-remote-code-execution-vulnerability-affecting-opensshhttps://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984
2025-10-06
Published