{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/openssh-before-10.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":4.2,"id":"CVE-2026-59996"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenSSH before 10.4"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","scp","openssh","linux","macos"],"_cs_type":"advisory","_cs_vendors":["OpenSSH"],"content_html":"\u003cp\u003eA vulnerability, identified as CVE-2026-59996, affects the \u003ccode\u003escp\u003c/code\u003e utility within OpenSSH versions prior to 10.4. This flaw permits an attacker to deviate the intended destination of a file transfer when a copy operation is performed between two remote hosts. Specifically, the \u003ccode\u003escp\u003c/code\u003e utility may incorrectly place the copied file into a parent directory relative to the user's specified target. This issue, disclosed by Microsoft, highlights a potential for unintended file system modifications. While not an immediate remote code execution, successful exploitation could enable attackers to overwrite critical system files, place malicious configurations, or stage executables in unexpected locations, subsequently aiding in privilege escalation or further system compromise. Organizations utilizing OpenSSH with \u003ccode\u003escp\u003c/code\u003e for remote-to-remote transfers should prioritize patching to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA legitimate user initiates an \u003ccode\u003escp\u003c/code\u003e command to transfer a file between two remote hosts using an OpenSSH client/server ecosystem that includes a vulnerable version of the \u003ccode\u003escp\u003c/code\u003e utility (prior to 10.4).\u003c/li\u003e\n\u003cli\u003eOne of the remote hosts (either the source or destination for the file transfer) is under the control of an attacker, or the attacker can influence the file path/name specified in the transfer.\u003c/li\u003e\n\u003cli\u003eDuring the remote-to-remote \u003ccode\u003escp\u003c/code\u003e transfer, the attacker exploits CVE-2026-59996 by manipulating specific input or file path details sent to the vulnerable \u003ccode\u003escp\u003c/code\u003e utility.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003escp\u003c/code\u003e utility on the destination host processes the manipulated input incorrectly due to a path traversal-like vulnerability.\u003c/li\u003e\n\u003cli\u003eAs a result, the transferred file is placed in a parent directory on the destination host, outside of the intended target directory specified by the user.\u003c/li\u003e\n\u003cli\u003eThis unintended file placement could lead to overwriting critical system files, placing malicious configuration files, or staging malicious executables in sensitive locations, potentially leading to privilege escalation, arbitrary code execution, or further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-59996 is unintended file placement on a target system. While not directly leading to remote code execution, a successful exploit could allow an attacker to overwrite crucial system files, leading to denial of service or system instability, or to place malicious files in locations where they could be executed by legitimate system processes or users, facilitating further compromise, privilege escalation, or persistence. The exact scope of impact depends on the specific file overwritten or placed and its location within the file system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all OpenSSH installations to version 10.4 or later to remediate CVE-2026-59996.\u003c/li\u003e\n\u003cli\u003eReview configurations of \u003ccode\u003escp\u003c/code\u003e and SSH to ensure only necessary file transfers are permitted and validate paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T07:40:17Z","date_published":"2026-07-09T07:40:17Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openssh-scp-file-placement/","summary":"CVE-2026-59996 details a vulnerability in OpenSSH's `scp` utility, allowing a remote attacker to cause a copied file to be placed in a parent directory of the intended destination during a remote-to-remote transfer, potentially leading to unintended file system modification.","title":"CVE-2026-59996: OpenSSH scp File Placement Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-openssh-scp-file-placement/"}],"language":"en","title":"CraftedSignal Threat Feed - OpenSSH Before 10.4","version":"https://jsonfeed.org/version/1.1"}