{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/configuration-bypass/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":5.9,"id":"CVE-2026-59999"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenSSH (\u003c 10.4)"],"_cs_severities":["medium"],"_cs_tags":["ssh","openssh","vulnerability","configuration-bypass","linux","macos"],"_cs_type":"advisory","_cs_vendors":["OpenSSH"],"content_html":"\u003cp\u003eThe Microsoft Security Response Center (MSRC) has published details on CVE-2026-59999, a logic error affecting the \u003ccode\u003esshd\u003c/code\u003e component of OpenSSH versions prior to 10.4. This vulnerability stems from an incorrect precedence rule when \u003ccode\u003eDisableForwarding=yes\u003c/code\u003e and \u003ccode\u003ePermitTunnel=yes\u003c/code\u003e are simultaneously configured in the \u003ccode\u003esshd_config\u003c/code\u003e file. Despite an administrator's intention to prevent SSH forwarding via \u003ccode\u003eDisableForwarding=yes\u003c/code\u003e, the \u003ccode\u003ePermitTunnel=yes\u003c/code\u003e option inadvertently takes precedence, enabling an authenticated attacker to establish an SSH tunnel. This bypass of intended security controls creates a pathway for attackers to circumvent network segmentation, access internal services, or exfiltrate data from environments where SSH forwarding was presumed to be blocked. The vulnerability was disclosed on July 9, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access (e.g., via stolen credentials or another vulnerability) to a server running a vulnerable \u003ccode\u003esshd\u003c/code\u003e instance (OpenSSH prior to version 10.4).\u003c/li\u003e\n\u003cli\u003eThe target \u003ccode\u003esshd\u003c/code\u003e server's configuration (\u003ccode\u003esshd_config\u003c/code\u003e) contains a conflicting setup where both \u003ccode\u003eDisableForwarding=yes\u003c/code\u003e and \u003ccode\u003ePermitTunnel=yes\u003c/code\u003e are enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish an SSH tunnel, such as local port forwarding, remote port forwarding, or a SOCKS proxy, from their client to the compromised server.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003esshd\u003c/code\u003e process on the server incorrectly prioritizes \u003ccode\u003ePermitTunnel=yes\u003c/code\u003e over \u003ccode\u003eDisableForwarding=yes\u003c/code\u003e due to the logic error, allowing the tunnel setup.\u003c/li\u003e\n\u003cli\u003eAn unauthorized SSH tunnel is successfully established, bypassing the administrator's intended security policy to disable forwarding.\u003c/li\u003e\n\u003cli\u003eThe attacker then utilizes this tunnel to circumvent network access controls or firewall rules, enabling connections to internal network resources that would otherwise be unreachable.\u003c/li\u003e\n\u003cli\u003eThis unauthorized network access allows the attacker to conduct further reconnaissance, pivot deeper into the network, exfiltrate sensitive data, or deploy additional malicious tools.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-59999 allows an authenticated attacker to bypass intended network security policies, specifically those designed to prevent SSH forwarding. This can lead to unauthorized network access, enabling attackers to circumvent firewall rules, reach internal systems, or pivot to otherwise isolated network segments. While no specific victim counts or sectors have been reported, any organization utilizing OpenSSH \u003ccode\u003esshd\u003c/code\u003e with the described conflicting configuration is at risk of unauthorized internal network traversal and potential data exfiltration or further compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch OpenSSH \u003ccode\u003esshd\u003c/code\u003e to version 10.4 or later to remediate CVE-2026-59999.\u003c/li\u003e\n\u003cli\u003eReview all \u003ccode\u003esshd_config\u003c/code\u003e files across your infrastructure to ensure that if \u003ccode\u003eDisableForwarding=yes\u003c/code\u003e is intended, \u003ccode\u003ePermitTunnel=no\u003c/code\u003e is explicitly set or omitted (as \u003ccode\u003eno\u003c/code\u003e is often the default).\u003c/li\u003e\n\u003cli\u003eAudit your network for unusual SSH tunnel activity, as this vulnerability bypasses configuration rather than introducing novel network signatures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T07:42:56Z","date_published":"2026-07-09T07:42:56Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openssh-sshd-config-bypass/","summary":"A logic error in OpenSSH's sshd daemon before version 10.4 allowed the PermitTunnel configuration to take precedence over DisableForwarding=yes, leading to unintended SSH tunnel establishment and potential unauthorized network access through the tunnel feature.","title":"CVE-2026-59999: OpenSSH sshd Configuration Bypass via PermitTunnel","url":"https://feed.craftedsignal.io/briefs/2026-07-openssh-sshd-config-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Configuration-Bypass","version":"https://jsonfeed.org/version/1.1"}