Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
CriticalPublic exploit

OpenSSH ssh-agent PKCS#11 Remote Code Execution via Agent Forwarding

IdentifiersCVE-2023-38408CWE-427

CVE-2023-38408 is a remote code execution vulnerability in the PKCS#11 provider-loading feature of ssh-agent in OpenSSH versions before 9.3p2. The flaw is caused by an insufficiently trustworthy library search path when ssh-agent is induced to load PKCS#11 modules, allowing libraries from locations such as /usr/lib to be loaded even though they are not necessarily safe in this context. Exploitation is possible when a victim forwards their ssh-agent connection to an attacker-controlled system, which can then interact with the forwarded agent and trigger loading of attacker-selected libraries or provider chains from the victim host. The issue is noted as stemming from an incomplete fix for CVE-2016-10009.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow arbitrary code execution on the machine running the victim's ssh-agent, not merely on the remote host receiving the forwarded agent connection. This can result in full compromise of the user context associated with the agent, including loss of confidentiality, integrity, and availability, and may enable theft or misuse of credentials, persistence, and further lateral movement from the compromised workstation or server.

Mitigation

If you can’t patch tonight, do this now.

Do not forward ssh-agent to untrusted or attacker-controlled systems. Where agent forwarding cannot be avoided, restrict PKCS#11/FIDO provider loading by starting ssh-agent with an empty or tightly scoped allowlist, for example using ssh-agent -P '' or an allowlist containing only explicitly trusted provider libraries. Reduce exposure by disabling unnecessary agent forwarding in SSH client configurations and limiting remote access to trusted hosts only.

Remediation

Patch, then assume compromise.

Upgrade OpenSSH to version 9.3p2 or later, or apply vendor-provided fixes for affected downstream products. For appliance and embedded deployments, install the specific firmware or package updates supplied by the vendor. After patching, restart affected ssh-agent processes and re-establish SSH sessions that used agent forwarding so the corrected agent behavior is in effect.
PUBLIC EXPLOITS

Exploits

3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (6 hidden).

VALID 3 / 9 TOTALView more in app
ssh-enumMaturityPoCVerified exploit

This repository is a Python-based SSH user-enumeration research and detection project rather than a single weaponized exploit. Its offensive capability is network-based probing of SSH services to determine whether usernames can be distinguished through authentication behavior, timing differences, or tool-assisted enumeration. The main orchestrator is run_investigation.py, which executes a multi-stage pipeline: raw SSH banner grabbing and version parsing, repeated Paramiko authentication attempts against candidate usernames, statistical timing analysis for CVE-2016-6210-style leakage, and auth.log-based detection engineering. Repository structure is split cleanly into attack_tools and detection_tools. attack_tools/banner_fingerprinter.py opens a raw TCP socket to the SSH port, captures the pre-auth banner, extracts implementation/version/OS hints, and maps versions against a small local CVE registry including CVE-2016-6210, CVE-2023-38408, and CVE-2024-6387. attack_tools/manual_ssh.py is the core probing component: it uses Paramiko to attempt password authentication for each username, records elapsed time until AuthenticationException or connection failure, caches the remote SSH banner, and saves structured JSON results. attack_tools/hydra_automation.py and attack_tools/metasploit_scanner.py are wrappers around external tools; they automate Hydra and Metasploit auxiliary/scanner/ssh/ssh_enumuser respectively, parse outputs, and save findings. The detection side is substantial. detection_tools/log_parser.py parses SSH-related auth.log events such as failed password, invalid user, accepted login, and disconnects. detection_tools/pattern_detector.py identifies rapid username cycling from one IP, wordlist correlation, evenly spaced attempts suggesting automation, and distributed probing of the same username from multiple IPs. detection_tools/response_analyzer.py performs Welch’s t-test and Cohen’s d calculations to decide whether valid and invalid usernames are distinguishable by timing. alerting_system.py formats alerts. The repository also includes notebooks for exploratory analysis, wordlists of common usernames, saved JSON outputs from prior runs, and unit tests. Main exploit capabilities: (1) unauthenticated SSH banner fingerprinting over TCP/22; (2) repeated password-auth attempts against many usernames to test for enumeration leakage; (3) optional automation of Hydra and Metasploit enumeration workflows; (4) statistical determination of whether timing differences imply username existence; and (5) post-event detection/reporting from SSH logs. There is no custom RCE payload or shell delivery. The practical result is reconnaissance and validation of SSH username enumeration exposure, plus defender-focused detection artifacts. Based on the included results, the tested OpenSSH 8.9p1 target did not appear vulnerable to timing-based username enumeration, though its banner exposed version information and matched CVE ranges in the local triage registry.

Alisha-chaudharyDisclosed Apr 30, 2026pythonjsonnetwork
CVE-2023-38408MaturityPoCVerified exploit

Repository contains a single bash script (2023-38408.sh) implementing an operational PoC for CVE-2023-38408 targeting OpenSSH ssh-agent behavior. The script is highly interactive and appears tailored to a CTF/lab flow (prompts for a 'ROOM IP', provides fixed SSH credentials, and waits for operator input). Core behavior: - Preps environment by deleting /tmp/ssh* and then locating an ssh-agent socket via /tmp/ssh-*/agent.* and exporting it as SSH_AUTH_SOCK. - Uses ssh-add -s with multiple library/provider paths (e.g., /usr/lib/systemd/boot/efi/linuxx64.elf.stub and several .so files), consistent with abusing ssh-agent PKCS#11/provider loading paths implicated in CVE-2023-38408 exploitation chains. - Constructs a large payload using perl (NOP sled + header) concatenated with embedded x86_64 shellcode, and sends it directly to the ssh-agent UNIX socket using netcat (nc -U $SSH_AUTH_SOCK). - The embedded shellcode is intended to spawn a bind shell; the script instructs connecting to nc localhost 31337. Notable additional capability: - Appends a hardcoded SSH public key to /root/.ssh/authorized_keys on the machine running the script, which is a persistence/backdoor action unrelated to pure PoC demonstration and should be treated as malicious behavior if run outside a controlled lab. Structure: - Single file, no supporting modules. Entry point is the bash script itself. The script mixes bash, perl one-liner payload generation, ssh-add invocations, and UNIX-socket communication to the agent.

xitexploiter96-dotDisclosed Jan 24, 2026bashperllocal (ssh-agent UNIX socket abuse / agent forwarding scenario)
CVE-2023-38408MaturityPoCVerified exploit

This repository contains a Bash proof-of-concept exploit for CVE-2023-38408, a remote code execution vulnerability in OpenSSH's ssh-agent forwarding (affecting versions prior to 9.3p2). The exploit is tailored for the TryHackMe lab environment and automates the attack process. The main script, 'CVE-2023-38408.sh', guides the user through setting up the attack, including SSH access to the victim, manipulation of ssh-agent sockets, and sideloading of malicious libraries. It delivers custom x86_64 shellcode to the victim's ssh-agent via a Unix socket, ultimately opening a bind shell on port 31337. The script interacts with several system files and libraries, and requires the attacker to have SSH credentials for the victim. The README provides context and usage notes, emphasizing that the exploit is intended for educational use within the TryHackMe environment. No external network endpoints or domains are hardcoded; all targeting is local to the victim and attacker machines within the lab.

kali-mxDisclosed Aug 9, 2023bashnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Fedora ProjectFedoraoperating_system
OpenbsdOpensshapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.