CVE-2002-1059

SecureCRT < 3.4.6 and 4.x < 4.0 beta 3 - Remote Code Execution via Long SSH1 Protocol Version String

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2002-1059. PoCs published by Metasploit, andrea lisci, Kyuzo, including Metasploit module exploits/windows/ssh/securecrt_ssh1.

AI-analyzed exploit summary This exploit targets a buffer overflow in SecureCRT <= 4.0 Beta 2 by sending an overly long SSH1 protocol identifier string. It achieves remote code execution by overwriting the return address and injecting shellcode.

Description

Buffer overflow in Van Dyke SecureCRT SSH client before 3.4.6, and 4.x before 4.0 beta 3, allows an SSH server to execute arbitrary code via a long SSH1 protocol version string.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/16460

View Code ZIP pw:eip

This exploit targets a buffer overflow in SecureCRT <= 4.0 Beta 2 by sending an overly long SSH1 protocol identifier string. It achieves remote code execution by overwriting the return address and injecting shellcode.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SecureCRT <= 4.0 Beta 2

No auth needed

Prerequisites: Network access to the target · Target must initiate a connection to the attacker's server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by andrea lisci · cremotewindows

https://www.exploit-db.com/exploits/21635

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in SecureCRT's SSH1 protocol identifier handling. It crafts a malicious payload with shellcode to execute arbitrary code, establishing a reverse shell to a specified host and port.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SecureCRT (version not specified, likely older versions)

No auth needed

Prerequisites: Network access to the target · Target must connect to the malicious server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Kyuzo · cdoswindows

https://www.exploit-db.com/exploits/21634

View Code ZIP pw:eip

This exploit triggers a buffer overflow in SecureCRT by sending an overly long SSH1 protocol identifier string. It creates a malicious server that sends a crafted payload to crash or potentially execute arbitrary code on the client.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: SecureCRT (version not specified, likely older versions)

No auth needed

Prerequisites: Network access to the target · Target must initiate a connection to the malicious server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ssh/securecrt_ssh1.rb

View Code ZIP pw:eip

This Metasploit module exploits a buffer overflow in SecureCRT <= 4.0 Beta 2 by sending an overly long SSH1 protocol identifier string, allowing arbitrary code execution. It targets SecureCRT.exe version 3.4.4 with a specific return address (0x0041b3e0).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SecureCRT <= 4.0 Beta 2 (tested on 3.4.4)

No auth needed

Prerequisites: Network access to target · Target must initiate SSH connection to attacker-controlled server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=102746007908689&w=2

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=102744150718462&w=2

Patch, Vendor Advisory vdb-entry x_refsource_xf

http://www.iss.net/security_center/static/9650.php

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://www.osvdb.org/4991

Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/5287

Various Sources x_refsource_confirm

http://www.vandyke.com/products/securecrt/security07-25-02.html

Scores

EPSS 0.7311

EPSS Percentile 98.8%

Details

Status published

Products (19)

van_dyke_technologies/securecrt 2.4

van_dyke_technologies/securecrt 3.0

van_dyke_technologies/securecrt 3.1

van_dyke_technologies/securecrt 3.1.1

van_dyke_technologies/securecrt 3.1.2

van_dyke_technologies/securecrt 3.2

van_dyke_technologies/securecrt 3.2.1

van_dyke_technologies/securecrt 3.3

van_dyke_technologies/securecrt 3.3.1

van_dyke_technologies/securecrt 3.3.2

... and 9 more

Published Oct 04, 2002

Tracked Since Feb 18, 2026