CVE-2012-6066

freeSSHd < 1.2.6 - Unauthenticated Authentication Bypass via Crafted Session

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2012-6066. PoCs published by Metasploit, kingcope, bongbongco, including Metasploit module exploits/windows/ssh/freesshd_authbypass.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass vulnerability in FreeSSHd <= 1.2.6 by leveraging a flaw in the SSH protocol implementation. It attempts to log in with a list of usernames and, upon success, uploads and executes a payload via a VBS command stager.

Description

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/24133

This Metasploit module exploits an authentication bypass vulnerability in FreeSSHd <= 1.2.6 by leveraging a flaw in the SSH protocol implementation. It attempts to log in with a list of usernames and, upon success, uploads and executes a payload via a VBS command stager.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: FreeSSHd <= 1.2.6
No auth needed
Prerequisites: Network access to the target SSH port (default 22) · Valid username (default list includes 'root', 'admin', 'Administrator')
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by kingcope · textremotewindows
https://www.exploit-db.com/exploits/23080

This is a writeup describing an authentication bypass vulnerability in FreeSSHD. It provides instructions on how to exploit the vulnerability by using an SSH client with a valid username, but does not include actual exploit code.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: FreeSSHD all versions
No auth needed
Prerequisites: SSH client · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by kingcope · textremotewindows
https://www.exploit-db.com/exploits/23079

This exploit leverages an authentication bypass in FreeFTPD to upload a malicious MOF file and executable, achieving remote code execution with SYSTEM privileges via a connect-back shell. The technique abuses the Windows Management Instrumentation (WMI) service to execute arbitrary code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FreeFTPD (all versions, including WeOnlyDo-wodFTPD 2.3.6.165)
No auth needed
Prerequisites: Network access to the target FreeFTPD server · Ability to set up a netcat listener · Modified ssh.exe and sftp.exe for authentication bypass
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by bongbongco · poc
https://github.com/bongbongco/CVE-2012-6066

This PoC exploits CVE-2012-6066, a remote authentication bypass vulnerability in freeSSHd 2.1.3. It leverages Paramiko to establish an SSH session, bypass authentication, and execute arbitrary commands (e.g., launching Internet Explorer) by manipulating the SSH session at the transport and channel level.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: freeSSHd 2.1.3
No auth needed
Prerequisites: Paramiko library · Target running freeSSHd 2.1.3 · Valid username in freeSSHd (no password required)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Aris, kcope · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ssh/freesshd_authbypass.rb

This Metasploit module exploits an authentication bypass vulnerability in FreeSSHd <= 1.2.6 (CVE-2012-6066) by leveraging flawed SSH authentication logic. It brute-forces usernames and executes arbitrary commands via PowerShell or a cmdstager payload upon successful bypass.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: FreeSSHd <= 1.2.6
No auth needed
Prerequisites: Network access to target SSH port (default 22) · Username list or default 'root' username
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html

Scores

EPSS 0.3951
EPSS Percentile 98.4%

Details

CWE
CWE-287
Status published
Products (3)
freesshd/freesshd 1.2.1
freesshd/freesshd 1.2.2
freesshd/freesshd < 1.2.6
Published Dec 04, 2012
Tracked Since Feb 18, 2026