<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>OpenSSH Before 10.4 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/openssh-before-10.4/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 07:40:17 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/openssh-before-10.4/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-59996: OpenSSH scp File Placement Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-openssh-scp-file-placement/</link><pubDate>Thu, 09 Jul 2026 07:40:17 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openssh-scp-file-placement/</guid><description>CVE-2026-59996 details a vulnerability in OpenSSH's `scp` utility, allowing a remote attacker to cause a copied file to be placed in a parent directory of the intended destination during a remote-to-remote transfer, potentially leading to unintended file system modification.</description><content:encoded><![CDATA[<p>A vulnerability, identified as CVE-2026-59996, affects the <code>scp</code> utility within OpenSSH versions prior to 10.4. This flaw permits an attacker to deviate the intended destination of a file transfer when a copy operation is performed between two remote hosts. Specifically, the <code>scp</code> utility may incorrectly place the copied file into a parent directory relative to the user's specified target. This issue, disclosed by Microsoft, highlights a potential for unintended file system modifications. While not an immediate remote code execution, successful exploitation could enable attackers to overwrite critical system files, place malicious configurations, or stage executables in unexpected locations, subsequently aiding in privilege escalation or further system compromise. Organizations utilizing OpenSSH with <code>scp</code> for remote-to-remote transfers should prioritize patching to mitigate this risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A legitimate user initiates an <code>scp</code> command to transfer a file between two remote hosts using an OpenSSH client/server ecosystem that includes a vulnerable version of the <code>scp</code> utility (prior to 10.4).</li>
<li>One of the remote hosts (either the source or destination for the file transfer) is under the control of an attacker, or the attacker can influence the file path/name specified in the transfer.</li>
<li>During the remote-to-remote <code>scp</code> transfer, the attacker exploits CVE-2026-59996 by manipulating specific input or file path details sent to the vulnerable <code>scp</code> utility.</li>
<li>The vulnerable <code>scp</code> utility on the destination host processes the manipulated input incorrectly due to a path traversal-like vulnerability.</li>
<li>As a result, the transferred file is placed in a parent directory on the destination host, outside of the intended target directory specified by the user.</li>
<li>This unintended file placement could lead to overwriting critical system files, placing malicious configuration files, or staging malicious executables in sensitive locations, potentially leading to privilege escalation, arbitrary code execution, or further system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The primary impact of CVE-2026-59996 is unintended file placement on a target system. While not directly leading to remote code execution, a successful exploit could allow an attacker to overwrite crucial system files, leading to denial of service or system instability, or to place malicious files in locations where they could be executed by legitimate system processes or users, facilitating further compromise, privilege escalation, or persistence. The exact scope of impact depends on the specific file overwritten or placed and its location within the file system.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch all OpenSSH installations to version 10.4 or later to remediate CVE-2026-59996.</li>
<li>Review configurations of <code>scp</code> and SSH to ensure only necessary file transfers are permitted and validate paths.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>vulnerability</category><category>scp</category><category>openssh</category><category>linux</category><category>macos</category></item></channel></rss>