CVE-2017-1000475

HIGH

FreeSSHd <1.3.1 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2017-1000475. PoCs published by boku, jlajara, lajarajorge.

AI-analyzed exploit summary This is a writeup demonstrating an unquoted service path vulnerability in FreeSSHd 1.3.1. The exploit leverages the lack of quotes around the service path to potentially execute arbitrary code if an attacker can place a malicious executable in the path.

Description

FreeSSHd 1.3.1 version is vulnerable to an Unquoted Path Service allowing local users to launch processes with elevated privileges.

Exploits (3)

exploitdb WRITEUP

by boku · textlocalwindows

https://www.exploit-db.com/exploits/48044

View Code ZIP pw:eip

This is a writeup demonstrating an unquoted service path vulnerability in FreeSSHd 1.3.1. The exploit leverages the lack of quotes around the service path to potentially execute arbitrary code if an attacker can place a malicious executable in the path.

Classification

Writeup 90%

Attack Type

Lpe

Complexity

Trivial

Reliability

Theoretical

Target: FreeSSHd 1.3.1

Auth required

Prerequisites: Local access to the system · Ability to write to the directory structure where the unquoted path is located

MITRE ATT&CK

T1574.009 - Path Interception by Unquoted Path

devstral-2 · analyzed Feb 16, 2026 Full analysis →

gitlab WRITEUP

by jlajara · poc

https://gitlab.com/jlajara/cve-2017-1000475

View Code ZIP pw:eip

This repository documents a local privilege escalation (LPE) vulnerability in freeSSHd 1.3.1 due to an unquoted service path. The writeup includes detailed steps, screenshots, and a proof-of-concept using MSFVenom to achieve SYSTEM-level reverse shell execution upon service restart.

Classification

Writeup 90%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: freeSSHd 1.3.1

No auth needed

Prerequisites: freeSSHd 1.3.1 installed as a service with unquoted path · ability to restart the service · write access to the directory containing the executable

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 23, 2026 Full analysis →

nomisec WRITEUP

by lajarajorge · poc

https://github.com/lajarajorge/CVE-2017-1000475

View Code ZIP pw:eip

This repository documents an unquoted service path vulnerability in freeSSHd 1.3.1, allowing local privilege escalation (LPE) to SYSTEM via a crafted executable named 'Program.exe'. The writeup includes step-by-step exploitation details with screenshots but lacks functional exploit code.

Classification

Writeup 90%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: freeSSHd 1.3.1

Auth required

Prerequisites: Local access to the target system · freeSSHd installed with default unquoted service path

MITRE ATT&CK

T1547.001 - Registry Run Keys / Startup Folder

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/lajarajorge/CVE-2017-1000475/blob/master/README.md

View Exploit ZIP pw:eip

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/48044

Scores

CVSS v3 7.8

EPSS 0.0063

EPSS Percentile 45.1%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-428

Status published

Products (1)

freesshd/freesshd 1.3.1

Published Jan 24, 2018

Tracked Since Feb 18, 2026