CVE-2012-5975

SSH Tectia Server 6.0.4-6.3.2 - Authentication Bypass via Blank Password

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2012-5975. PoCs published by Metasploit, kingcope, kingcope, bperry, sinn3r, including Metasploit module exploits/unix/ssh/tectia_passwd_changereq.

AI-analyzed exploit summary This Metasploit module exploits CVE-2012-5975, a vulnerability in Tectia SSH server allowing unauthenticated root access via a malformed USERAUTH password change request before authentication.

Description

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, when old-style password authentication is enabled, allows remote attackers to bypass authentication via a crafted session involving entry of blank passwords, as demonstrated by a root login session from a modified OpenSSH client with an added input_userauth_passwd_changereq call in sshconnect2.c.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremoteunix
https://www.exploit-db.com/exploits/23156

This Metasploit module exploits CVE-2012-5975, a vulnerability in Tectia SSH server allowing unauthenticated root access via a malformed USERAUTH password change request before authentication.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Tectia SSH Server 6.3.2.33 or prior
No auth needed
Prerequisites: Network access to the target SSH server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by kingcope · textremotelinux
https://www.exploit-db.com/exploits/23082

This is a writeup describing an authentication bypass vulnerability in SSH Tectia Server. The flaw allows an attacker with a valid username to log in without a password by exploiting a bug in the SSH USERAUTH CHANGE REQUEST routine.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: SSH Tectia Server (versions 6.1.9.95, 6.0.11.5)
No auth needed
Prerequisites: valid username on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by kingcope, bperry, sinn3r · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ssh/tectia_passwd_changereq.rb

This Metasploit module exploits CVE-2012-5975 in Tectia SSH server by sending a malformed SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request before authentication, allowing root access without credentials.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Tectia SSH Server 6.3 or prior
No auth needed
Prerequisites: Network access to Tectia SSH server on port 22
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0065.html
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0013.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/23082/

Scores

EPSS 0.3587
EPSS Percentile 98.3%

Details

CWE
CWE-287
Status published
Products (35)
ssh/tectia_server 6.0.4
ssh/tectia_server 6.0.5
ssh/tectia_server 6.0.6
ssh/tectia_server 6.0.7
ssh/tectia_server 6.0.8
ssh/tectia_server 6.0.9
ssh/tectia_server 6.0.10
ssh/tectia_server 6.0.11
ssh/tectia_server 6.0.12
ssh/tectia_server 6.0.13
... and 25 more
Published Dec 04, 2012
Tracked Since Feb 18, 2026