{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/arbitrary-file-placement/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":4.2,"id":"CVE-2026-59995"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenSSH sftp \u003c 10.4"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","client-side","arbitrary-file-placement","openssh","sftp"],"_cs_type":"threat","_cs_vendors":["OpenSSH"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-59995, has been identified in the OpenSSH SFTP client, affecting all versions prior to 10.4. This flaw allows a malicious SFTP server to manipulate the client's file placement logic when a user executes the command \u003ccode\u003esftp server:/path .\u003c/code\u003e. The vulnerability stems from insufficient constraints on the target location during file downloads, enabling the attacker-controlled server to dictate where files are saved on the victim's system. This could lead to malicious files being written to sensitive directories, potentially establishing persistence, achieving arbitrary code execution, or causing denial of service. While specific exploitation in the wild has not been detailed, the vulnerability poses a significant risk to users who interact with untrusted SFTP servers. This brief highlights the mechanics of the vulnerability and recommended mitigations for detection engineers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker provisions a malicious SFTP server specifically configured to exploit CVE-2026-59995.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a lure, such as a deceptive communication or a malicious link, to entice a victim into connecting to their SFTP server.\u003c/li\u003e\n\u003cli\u003eThe victim user, unaware of the server's malicious intent, executes the \u003ccode\u003esftp attacker.com:/remote/path .\u003c/code\u003e command using a vulnerable OpenSSH client (version before 10.4).\u003c/li\u003e\n\u003cli\u003eDuring the download process, the malicious SFTP server responds with specially crafted directory listings or manipulated path information to the client.\u003c/li\u003e\n\u003cli\u003eDue to the parsing vulnerability (CVE-2026-59995), the OpenSSH client misinterprets the server's response regarding the intended download location.\u003c/li\u003e\n\u003cli\u003eThe client then proceeds to write the downloaded files to an arbitrary, attacker-controlled location on the victim's local filesystem, outside of the current working directory.\u003c/li\u003e\n\u003cli\u003eThe attacker places malicious executable binaries, scripts, or configuration files (e.g., within startup directories, user profile scripts, or system-critical locations).\u003c/li\u003e\n\u003cli\u003eUpon a subsequent system reboot, user login, or specific application execution, the arbitrarily placed malicious file is triggered, leading to persistence, privilege escalation, or arbitrary code execution on the victim's system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of successful exploitation of CVE-2026-59995 can range from denial of service to full system compromise. If an attacker can place malicious executables in startup folders, user profile scripts (like \u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.profile\u003c/code\u003e), or other auto-execution paths, they can achieve persistence and potentially arbitrary code execution with the user's privileges. Placement of corrupted or critical configuration files could lead to system instability or denial of service. While the vulnerability requires user interaction to connect to a malicious server, the ability to bypass intended download locations poses a significant security risk, allowing attackers to bypass standard download protections and system integrity checks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching OpenSSH clients to version 10.4 or later immediately to mitigate CVE-2026-59995.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of connecting to untrusted SFTP servers and executing download commands against them.\u003c/li\u003e\n\u003cli\u003eImplement monitoring for unusual file writes to system-critical or user-profile directories, especially those typically used for persistence (e.g., startup folders, \u003ccode\u003e/etc/cron.d\u003c/code\u003e, \u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.profile\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T07:41:03Z","date_published":"2026-07-09T07:41:03Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openssh-sftp-arbitrary-file-placement/","summary":"CVE-2026-59995 describes a vulnerability in the OpenSSH sftp client, specifically versions before 10.4, that allows an attacker to control the location of downloaded files when a user executes 'sftp server:/path .' against an attacker-controlled server, potentially leading to arbitrary file placement and subsequent system compromise.","title":"CVE-2026-59995: OpenSSH SFTP Arbitrary File Placement Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-openssh-sftp-arbitrary-file-placement/"}],"language":"en","title":"CraftedSignal Threat Feed - Arbitrary-File-Placement","version":"https://jsonfeed.org/version/1.1"}