Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search
Enterprise BusinessLog 320x200 1
Enterprise BusinessLog 970x120 1
ProxyCommand: The Little String That Opens a Port for Exploits

ProxyCommand: The Little String That Opens a Port for Exploits

Antonio Piazzolla : 13 October 2025 08:04

Yesterday, a vulnerability in OpenSSH, CVE-2025-61984, was published that potentially allows command execution on the client when ProxyCommand is used with usernames containing control characters (e.g., newlines).

Some OpenSSH input streams were not properly stripping control characters from usernames. An attacker could exploit this behavior by constructing a username containing, for example, a newline followed by a string that should be interpreted as a command.

When that username is inserted into the string invoked by the ProxyCommand, some shells bypass the syntax error introduced by the newline and continue execution: the next line can then be executed as the payload. Essentially, a small sequence of malicious characters, combined with a permissive shell and a certain SSH configuration, can result in an RCE.

Why a Git submodule is dangerous

GIT can be insidious because it exploits common developer actions. A repository may include a submodule whose SSH URL has been constructed to contain a manipulated username. When someone runs: git clone –recursive

Git also attempts to retrieve submodules via SSH—at which point the client executes the locally configured ProxyCommand. Under certain conditions, the entire chain leads to payload execution.

The exploit doesn’t activate “by itself.” Two specific conditions must be met on the victim’s system for it to work:

  1. Permissive shell: the shell invoked by the ProxyCommand must continue execution after a syntax error (typical behavior of Bash, Fish, csh)
  2. Vulnerable ProxyCommand: The user’s ~/.ssh/config file must contain a ProxyCommand that includes the token %r (the remote username) without adequate protection — for example, %r must not be properly quoted or sanitized.

If both conditions are met, the manipulated username can be interpolated into the string invoked by the proxy and trigger unwanted commands.

Practical implications

  • Developers and automated systems that perform recursive cloning are a susceptible target because the vector exploits routine operations.
  • Tools that automatically generate ~/.ssh/config and insert %r without protections amplify the risk
  • The presence of public proof-of-concept makes the situation urgent: it increases the likelihood that someone will automate exploitation on a large scale.

Public PoCs – What They Show and Why You Should Care (Non-Actionable Information)

In recent days, proof-of-concepts have been circulating that clearly explain the attack chain, but without providing practical instructions for exploiting it. These PoCs demonstrate the typical scenario: a username containing control characters is interpolated into the ProxyCommand, and a permissive shell ends up executing the next line. Many PoCs use the Git submodule example as a demonstration because it highlights the supply-chain risk: a compromised repository can easily reach developers and automated pipelines.

The operational value of PoCs isn’t teaching exploitation, but highlighting where to focus testing. However, publishing them reduces the time attackers would spend developing automated exploits, so the window for intervention is short.
The flaw is fixed by updating OpenSSH to version 10.1 , which should be done as soon as possible.

Immagine del sitoAntonio Piazzolla
IT Infrastructure & Security Manager with more than 20 years of experience in complex business environments. In the Casillo Group, he deals with business continuity, security and innovation. Microsoft, VMware, Cisco and ITIL certified.

Lista degli articoli